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In  his  decades-long 
career,  Merck's 
Bob  Moore  has 
mastered  security 
at  the  executive  level. 
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Salary  scales  [p.32],  Getting  hired  [p.3o] 
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Protection  in  every  location. 
Managed  and  integrated 
from  one  location. 


Symantec  Security  Management  Console  ^  s-vm.mta 

MBMMHMHi 


Introducing  the  Symantec m  Security  Management  System. 

For  the  first  time,  security  data  from  multiple  locations, 
multiple  tiers  —  even  multiple  brands  of  information 
security  products  —  can  be  managed  with  a  single  system, 
at  a  single  console.  Which  means  that  enterprise-wide 
policy  compliance  is  finally  a  real  possibility.  It  also  means 
that  because  you’ve  simplified  your  environment,  you  can 
reduce  your  operating  costs.  And,  most  importantly,  you 
can  now  be  more  responsive  to  new  and  emerging  threats, 
eliminating  them  before  they  do  damage.  It's  part  of  a 
revolution  in  information  security,  a  revolution  that  offers 
better  protection,  efficient  management  and  ensured  business 
continuity  for  your  entire  enterprise.  For  our  latest  White 
Paper,  “Managing  Security  Incidents  in  the  Enterprise,”  visit 
http://ses.symantec.com/USA659A8VE  or  call  800-/45-6054. 
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I  AM  A  CISC0 1200 
SERIES  DUAL 
BAND  WI-FI 
ACCESS  POINT. 


I  AM  70  MORE 
MINUTES  OF 
PRODUCTIVITY  PER 
EMPLOYEE  PER  DAY 

I  AM  A  CISCO  WIRELESS  NETWORK.  I  HAVE  THE  POWER  TO 
CONNECT  EMPLOYEES  TO  VITAL  DATA  WHEREVER  THEY  ARE. 
AND  DO  IT  SECURELY.  THAT  SAVES  TIME.  THAT  SAVES  MONEY. 
THAT  IS  POWERFUL.  I  AM  MORE  THAN  A  CISCO  1200  SERIES 
DUAL  BAND  WI-FI  ACCESS  POINT. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  nOW. 


Cisco  Systems 


cisco.com/mobilitynow 


SPECIAL  REPORT 


“Security  people  don’t  listen. 
Great  communication 
[  requires  listening.” 

-THORNTON  MAY, 
I. T.  CONSULTANT 
PAGE  54 
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COLUMNS 

26  Facilitating  Security 

SECURITY  COUNSEL  HDR  VP  of  Security  Operations 
Robert  Bosco  answers  readers’  questions  about  security 
assessments. 

28  Diversity  Training 

FLASHPOINT  When  systems  are  homogenized,  security 
suffers.  By  David  H.  Holtzman 

64  Broken  Windows  in  the  Boardroom 

CSO  UNDERCOVER  It’s  the  CSO’s  job  to  clearly  articulate 
expectations  about  corporate  behavior  and  establish 
accountability. 


30  Identity  Crisis  48  All  Over  the  Map 

INTRODUCTION  Amidst  terror-  ORGANIZATIONAL  MODELS 


17  Briefing 


ism  threats  and  world  turmoil, 
you’d  think  that  support  for 
security  would  be  at  an  all-time 
high.  You’d  be  wrong. 

By  Derek  Slater 

32  Coming  of  Wage 

SALARY  SURVEY  The  only  clear 
trend  when  it  comes  to  security 
salaries  is  that  they’re  likely  to 
rise  as  the  function  matures. 

By  Simone  Kaplan 


36  Bob  Moore  Knows 
How  to  Get  Hired... 

CSOs  will  find  few  job 
openings  but  a  wealth  of 
candidates  for  them. 

By  Daintry  Duffy 


Where  does  security  fit  into 
the  organizational  chart?  CSOs 
offer  plenty  of  opinions,  but 
consensus  is  hard  to  come  by. 
By  Michael  Fitzgerald 

54  Why  Security 
Needs  to  Blow  Its 
Own  Horn 

INTERVIEW  Thornton  May  says 
CSOs  “couldn’t  sell  water  to  a 
man  on  fire.”  How  can  they  get 
the  hang  of  security  marketing? 

37  ...And  How  Not 
to  Get  Fired 

Remember:  Once  you  have 
the  job,  it’s  the  little  things  that 
help  you  keep  it. 

By  Scott  Berinato 


Above  the  law?;  Terrorism  funding;  Lessons  from  a 
disaster;  A  standard  identity;  ASIS  speaks  up. 

24  Wonk 

Now  clear  this:  The  government  works  to  quicken  the 
pace  of  security  clearance.  By  Julie  Hanson 


59  Machine  Shop 


Information  warfare:  What  is  it  good  for? 
In  this  case,  the  best  offense  is  a  good 
defense.  By  Simson  Garfinkel 
TOOLBOX:  Access-control 
technologies 


68  Debriefing 

Speaking  in  tongues. 
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Network  Security  Engineers  are  a  phone  call  away. 

To  keep  your  business  competitive,  you  need  the  right  IT  talent  at  just  the  right  time. 

With  more  than  100  locations  worldwide,  Robert  Half  Technology  is  a  leading  provider  of: 

•  Network  Security  Engineers  •  Network  Administrators 

•  Programmers  •  Database  Administrators 

•  Web  Developers  •  And  other  Technology  Professionals 

•  Help  Desk  Professionals 

With  our  exceptional  connections  to  the  best  technology  talent  available,  we'll  do  more  than  provide 
cost-effective  solutions  to  your  needs  -  we’ll  do  it  exactly  when  you  need  it. 

Call  today! 


800.793.5533  roberthalftechnology.com 


ROBERT  HALF* 

TECHNOLOGY 

Information  Technology  Professionals SM 


©  Robert  Half  Technology.  EOE 


A  Robert  Half  International  Company 
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Ira  Winkler 


Security 
Counsel 

Ira  Winkler  is  chief 
security  strategist  at 
H  e  wl  ett-  P  ackar  d 
and  author  of 
Corporate  Espi¬ 
onage.  Winkler 
spent  11  years  working  with  the  National 
Security  Agency.  Visit  SECURITY 
COUNSEL  to  post  a  question  about  how  to 
protect  your  business  from  intellectual 
property  theft,  www.csoonline.com/counsel 

Online  Archives 

Miss  the  March  issue  of  CSO ?  No  sweat. 
You  can  find  it  (and  every  issue  of  CSO)  on 
the  Web.  The  March  issue  features  Senior 
Editor  Daintry  Duffy’s  cover  stoiy  on  travel 
risk  services  that  can  help  CSOs  protect 
employees  when  they’re  abroad. 
www.csoonline.com/read 

Free  Newsletters 

CSO  newsletters  delivered  right  to  your 
inbox  for  free.  CSO  UPDATE  highlights 
CSOonline’s  most  recent  content.  CSO 
WANTED  UPDATE  alerts  you  to  the  latest 
security-related  job  openings  in  our  data¬ 
base.  It  takes  only  a  few  seconds  to  sub¬ 
scribe.  www.csoonline.com/newsletters 

Career  Adviser 

How  does  one  break  away  from  a  govern¬ 
ment  position  to  find  a  CISO  job  in  corpo¬ 
rate  America?  Our  CAREER  ADVISER 
Joyce  Brocaglia  has  the  answer.  Go  online 
and  ask  your  career  questions. 
www.csoonline.com/adviser 
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Daily  Dose  of  CSO 

Bookmark  CSOonline  so  you  won’t 
miss  the  new  content  that  we  post  each 
weekday. 

MONDAY 

TALK  BACK  How  do  you  determine 
where  your  risks  lie?  Visit  each  week  to 
share  your  opinions  on  this  and  other 
controversial  security  topics. 

www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  may  also 
check  the  results  of  previous  polls,  such  as 
“Does  your  company  have  a  chief  privacy 
officer?”  Most  respondents  answered  no. 
www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  all  in  one  convenient 
package.  In  a  recent  report,  The  Yankee 
Group  forecasts  that  the  host  intrusion  pre¬ 
vention  market  will  reach  $530  million  by 
2007.  www.csoonline.com/analyst 

THURSDAY 

METRICS  Did  you  know  that  nearly 
50,000  Internet  fraud  incidents  were 
reported  in  2002?  Visit  each  week  for 
the  statistics  that  matter  to  security 
professionals,  www.csoonline.com/metrics 

FRIDAY 

POLITICS  &  POLICY  Read  our  weekly 
recap  of  action  on  the  Hill.  Get  the  full 
text  of  bills  before  the  House  and  Senate, 
and  blurbs  about  other  legislative  activity— 
from  inside  the  Beltway  and  out. 
www.csoonline.com/politics 
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INTRODUCING  REALSECURE 


NETWORK  7.0 


RELEASED  JUST  AHEAD  OF 
EVIL  THREAT  6.8 


Dynamic  Threat  Protection.  The  most  complete  protection  available.  Leading  edge  detection,  prevention 

and  response  that  stops  the  bad  guys  cold.  That’s  RealSecure®  Network  7.0.  Our  solution  offers  the  most  accurate  protection  at 
network  speeds  without  slowing  you  down.  Plus,  our  SiteProtector  "  centralized  management  system  makes  protecting  a  large  network 
as  simple  as  the  click  of  a  mouse.  Or,  let  us  do  it  for  you  with  our  24/7  Managed  Protection  Services.  Keep  evil  one  step  behind.  Find 
out  why  RealSecure  is  the  market  share  leader,  visit  www.iss.net/iss-cso  or  call  us  at  800-776-2362. 
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approved 


RealSecure  Network  7.0 

Unified  protocol  analysis  and  pattern  matching  -  that  works 
Analyzes  95  network  protocols  -  catching  even  unknown  attacks 
Nonstop  protection  at  network  speeds  up  to  IGbps 
Backed  by  X-Force,'  the  world’s  til  security  intelligence  team 


INTERNET 

Security 

Systems" 
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Staring  at  the  Check 

In  the  area  of  homeland  security,  there  is  a  game  of  economic 
chicken  in  progress.  In  furthering  its  compliance  strategies 
for  the  physical  and  cyber  realms,  the  Bush  administration  is 


devoted  to  the  twin  philosophies  of  letting  market  forces  rule  and  relying  on 
voluntary  public-private  partnerships.  Kind  of  the  equivalent  of  being  all  in 
favor  of  paying  for  lunch,  but  never  reaching  for  the  check. 

Those  are  good  things— up  to  a  point  (though  it’s  not  always  easy  to  say 
where  that  point  lies).  Partnership,  in  particular,  has  blunted  some  of  the  native 
suspicion  in  the  business  community  toward  government’s  regulatory  impulses. 
Positive  examples  of  key  players  in  various  industries  are  taking  a  leading  role 
in  driving  such  partnerships  forward— often  out  of  the  sanguine  recognition 
that  a  failure  of  voluntarism  may  soon  be  followed  by  something  more  like 
compulsion.  And  in  many  industries,  the  connection  between  tighter  security 
and  stronger  business  performance  is  more  obvious  than  in  others. 

By  most  estimates,  in  excess  of  80  percent  of  the  critical  infrastructure  is  in 
the  hands  of  the  private  sector.  In  most  such  companies,  “doing  the  right  thing” 
and  “acting  for  the  common  good”  fall  somewhere  down  the  enterprise  priority 
list  behind  making  a  profit,  satisfying  shareholders  and  beating  the  competi¬ 
tion’s  brains  out.  Greed  is  a  market  force  too.  And  one  wonders  whether  the 
same  market  forces  that  brought  us  Tyco,  Enron,  Global  Crossing  and  other 
choice  business  disasters  can  be  dependable  guarantors  of  right  behavior  by 
private-sector  companies.  Security,  after  all,  won’t  come  cheaply. 

At  a  recent  event  held  by  the  U.S.  Chamber  of  Commerce  (and  partly  spon¬ 
sored  by  CXO  Media,  the  publisher  of  CSO ),  there  was  plenty  of  ambivalence 
about  the  administration’s  preponderant  emphasis  on  carrots  over  sticks. 
Naturally,  business  prefers  carrots.  But  missing  from  the  market  forces  and 
partnership  framework  is  a  clear  sense  of  what  constitutes  carrots  sufficiently 
ripe  and  succulent  to  overcome  objections  to  what  many  will  see  as  unfunded 


mandates.  Whose  nickel  is  to  be  applied  to  the  added 
costs  of  homeland  security?  (In  some  regulated  indus¬ 
tries,  those  costs  can’t  be  passed  on  to  customers.) 

What  are  reasonable  costs  of  doing  business  versus  a 
public-safety  activity  that  ought  to  fall  under  some 
government  agency’s  budget?  (And  does  it  ultimately 
even  matter  whether  security  is  paid  for  out  of  tax 
receipts  or  in  the  higher  prices  of  goods  and  services 
charged  by  the  private  sector?)  Who  gets  to  decide 
what  standard  levels  of  security  will  be  the  benchmarks 
for  compliance? 

Eventually,  those  questions  will  touch  most  compa¬ 
nies  in  most  industries.  And  it  may  turn  out  over  time 
that  the  administration’s  public  posture  in  seeking 
kinder,  gentler  methods  for  producing  compliance  is 
more  PR  spin  than  actuality.  In  industry  after  industry, 
the  specter  of  looming  “guidelines”— many  voluntary 
but  others  mandatoiy— has  CSOs  and  other  executives 
spooked  by  what  they  fear  will  create  a  compliance 
nightmare,  adding  cost  and  complexity  to  operations 
while,  in  some  cases,  providing  less  security  than  chaos. 
(Our  July  issue  will  include  a  feature  that  sounds  the 
alarm  on  this  developing  compliance  situation.) 

This  is  a  complicated  set  of  issues.  But  if  the  worthy 
goals  of  homeland  security  stumble  over  a  failure  to 
clearly  address  the  question  of  who  picks  up  the  tab, 
that  will  be  a  bad  thing  indeed. 

-Lew  McCreary 
mccreary@  cxo.  com 
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CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 


Introducing 

OCCTP 

video  surveillance  for  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


"Winner  of  the  "Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


UNISYS  PRESENTS 


John  Pescatore  is  a  vice  president  at  Gartner  Research. 
Before  joining  Gartner,  he  was  senior  consultant  for  Entrust 
Technologies  and  Trusted  Information  Systems,  where 
he  started  and  managed  security  consulting  groups. 
Pescatore  is  an  NSA-certified  cryptologic  engineer. 
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A  few  minutes  with  John  Pescatore, 
Vice  President,  Gartner  Group 


IT  Security  Strategies 


>  What  should  a  CIO  say  to  a  C-level  execu¬ 
tive  who  asks,  “Are  we  secure  enough?” 

He  should  respond,  “You  can  never  be  too  rich,  too 
thin  or  too  secure.” 

If  that  doesn’t  work,  the  CIO  should  pretend  his 
cell  phone  is  ringing,  and  tell  the  CXO  that  he  will 
get  back  to  him.  Then  he  should  ask  himself  why  he 
doesn’t  have  a  service  level  agreement  for  security,  so 
that  he  could  answer  that  question.  Then  he  should  go 
to  his  Chief  Security  Officer  and  ask  him  why  there  is 
no  security  SI_A. 

>  What  are  the  business  drivers  for  IT 
security?  How  have  they  changed  over  the 
past  18  months? 

They  haven’t  changed  at  all  in  the  past  18  months. 
Although  the  publicity  around  security  has  increased 
since  the  terrorist  attacks,  the  basic  business  equation 
hasn’t  changed.  Businesses  need  to  be  secure  enough  to 
meet  their  financial  goals.  Too  much  security  can  be 
just  as  bad  as  not  enough.  Businesses  need  to  keep  the 
bad  guys  out,  while  letting  the  good  guys  in,  while  mak¬ 
ing  money.  The  reality  is  that  many  companies  and 
organizations  have  begun  to  look  at  security  as  a 
business  imperative.  There  is  most  certainly  a  focus  on 
it  at  the  CXO  level  and  depending  on  environmental 
factors,  we  watch  internal  priorities  around  it  change. 

>  How  will  the  information  security  market¬ 
place  change  in  the  next  five  years? 

Pressure  will  increase  to  reduce  the  growth  in  security 
spending.  Essentially,  security  groups  will  need  to 
demonstrate  the  same  productivity  growth  that 
business  has  shown  because  of  IT.  CSOs  and  CIOs  will 
need  to  keep  security  top  of  mind  without  being  the 
purveyors  of  doom  or  inhibitors  of  growth.  This  will 
be  achieved  through  a  deeper  understanding  of  the 
financial  impacts  of  not  doing  something  or  considering 
security  upfront. 

On  the  “Keep  the  Bad  Guys  Out”  side  of  the 
market,  this  will  drive  the  collapse  of  the  intrusion 
detection  market  into  the  firewall  market  —  yielding 
intrusion  prevention  appliances  that  are  cheaper  than 
buying  multiple  firewalls  and  IDS  sensors.  The  desktop 
antiviral  market  will  similarly  collapse  into  a  desktop 


protection  market,  where  desktop  firewalls  and  AV 
clients  are  one  in  the  same  and  don’t  cost  any  more 
than  today’s  desktop  AV  clients. 

It  will  lead  to  more  “Let  the  Good  Guys  In”  func¬ 
tionality  being  embedded  into  operating  systems,  appli¬ 
cation  servers  and  portals  —  vs.  being  standalone  prod¬ 
ucts  that  require  additional  per  user  pricing. 

This  will  lead  to  at  least  40  percent  of  the  companies 
selling  security  products  today  being  gone  —  acquired 
or  shut  down  —  by  2008. 

>  When  does  it  make  sense  to  outsource 
IT  security? 

For  75  percent  of  enterprises,  outsourcing  the  day-to- 
day  work  of  monitoring  firewalls  and  IDS  sensors  and 
some  other  repetitive  tasks  like  vulnerability  scanning, 
results  in  a  higher  level  of  security  at  a  lower  cost. 

Basically,  the  only  time  outsourcing  doesn’t  make 
sense  is  if  the  enterprise  doesn’t  need  24x7  coverage, 
or  if  the  enterprise  has  more  security  staff  than  it 
knows  what  to  do  with  —  and  that’s  not  likely. 

>  How  often  should  enterprises  perform  vul¬ 
nerability  scanning  or  penetration  testing? 

Penetration  testing  should  be  done  at  least  quarterly. 
Vulnerability  scanning  should  be  done  at  least  weekly, 
ideally  daily. 

>  What  are  the  potential  security  implications  as 
Web  services  become  more  widely  adopted? 

You  could  say  that  Web  services  are  just  a  plot  to  get 
through  firewalls  by  tunneling  over  the  HTTP  port 
that  firewalls  don’t  inspect  very  well.  Today’s  firewalls 
need  to  perform  more  security  inspection  at  the  appli¬ 
cation  level  in  order  to  provide  protection  in  a  Web 
services  world. 


For  more  information,  please  call  800-874-8647  x381 
or  visit  www.unisys.com/security 


UMSYS 

Imagine  it.  Done. 


How  secure  is  secure? 

We  help  uncover  the  cyber 
risks  so  AIG  can  provide 
more  cyber  insurance 


Outsourcing 


Infrastructure 


than  anyone  else 


Server  Technology 


Consulting 


Imagine  it: 

Underwriting  cyber  risks  -  from  viruses  to  cyber- 

w' 

extortion.  How  do  you  provide  insurance  for  these 
new  and  devastating  threats?  You  understand  them 
first  -  and  work  with  a  partner  who  could  uncover  a 
broad  range  of  security  and  technology  gaps. 


Done: 

AIG’s  eBusiness  Risk  Solutions  Group  partnered 
with  Unisys  and  leapt  together  into  cyber  protection 
Today,  AIG  eBRS  provides  most  of  the  world’s 
network  security  and  cyber  insurance.  And  Unisys 
integrates  planning  and  protection  for  a  broad 
range  of  needs  like  privacy.  Identity.  Collaboration. 
Business  Continuity.  Infrastructure.  Our  holistic 
approach  is  one  reason  why  Unisys  has  been 
awarded  IT  security  integration  for  U.S.  airports. 

Can  we  help  you  identify  security  gaps?  Call  us. 


Security  with  precision  thinking  and  relentless 
execution  to  drive  your  vision  forward. 


Imagine  it.  Done 


www.unisys.com/security  800.874.8647  x372 

...  w  <  f  'i  ■ 

Insurance  underwritten  .by  member  companies  ttf  Atnerican, 
International  Group.  Inc.  lAIGh  ©  2003  Unisyb  Corporatibt}.'  .  '  . 
Unisys  is  a  registered  trademark  Of  Unisys  Corporation 


One  CSO,  Many  Hats 

It's  what  we  thought  all  along:  In  most 
corporations  the  security  function  is  split 
between  IT  and  physical,  but  the  roles  will 
eventually  merge.  Mr.  Treece  (see  “Safe 
Harbor,”  April  2003)  is  a  good  example  of 
someone  who's  already  on  board. 

YOUR  APPROACH  TO  INCLUDE  A 

healthy  dose  of  network  security  issues  in 
CSO  embraces  the  lonely  CISOs  out  there 
(whether  they  carry  that  title  or  not)  and 
provides  great  crossover  exposure  to  the 
people  who  hold  those  hats  separately.  It 
also  hints  at  what  I  believe  the  future 
holds— the  CSO  and  CISO  titles  must  even¬ 
tually  be  held  by  the  same  person.  Cur¬ 
rently  there  are  few  people  who  have  the 
credentials  and  experience  to  do  both.  As 
one  of  those  people,  I  see  daily  how  much 
more  effective  I  am  because  I  can  deal  with 
both  issues  and  see  the  intimate,  unbreak¬ 
able  connection  between  the  physical  and 
virtual  worlds  in  business  and  government 
today.  Bottom  line:  You  are  not  only  on 
the  right  track,  you  are  helping  to  make 
this  necessary  merger  happen  faster. 

DENNIS  TREECE 

Director  of  Corporate  Security 

Massach  usetts  Po  rt  A  u  thority 


The  FUD  Hit  Home 

We  also  addressed  “The  FUD  Factor”  in  our 
April  issue  and  explained  that,  while  fear  and 
uncertainty  may  move  budget  money  your 
way  in  the  short  term,  it’s  a  shortsighted 
security  strategy.  CSOs  must  be  forward 
thinkers.  Here  are  responses  from  a  few 
who  fit  the  bill. 

I’M  RESPONSIBLE  FOR  SECURITY  ON 

our  SCADA  [Supervisory  Control  and  Data 
Acquisition]  system  here  in  New  York  City, 
and  I’ve  been  doing  my  best  to  warn  people 
in  my  organization  about  the  dangers  of 
using  FUD  to  support  various  security 
agendas.  My  bottom  line:  Don’t  tell  me 
about  possibilities,  show  me  probabilities— 
with  data  to  back  them  up. 

KEVIN  MCGRATH 

Lead  Analyst 
KeySpan  Energy  Delivery 

THANK  YOU  FOR  ADDRESSING  ONE  OF 
the  worst  mistakes  a  security  leader  can 
make.  Security  is  a  business  within  a  busi¬ 
ness.  Security  leaders  who  use  business 
skills  to  communicate  the  need  for  security 
should  be  applauded  for  their  talents  and 
positive  effect  on  our  industry. 

JOE  NELSON 

Director  of  Corporate  Security 
Teradyne 
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about  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  conferences 
and  events,  informs  more  people  about  technology 
than  any  other  company  in  the  world.  Offering  the 
widest  range  of  media  options,  IDG  reaches  more  than 
120  million  technology  buyers  in  85  countries  repre¬ 
senting  95  percent  of  worldwide  IT  spending.  IDG  pub¬ 
lishes  more  than  300  newspapers  and  magazines  in  85 
countries,  led  by  the  Computerworld,  Infoworld,  Mac¬ 
world,  Network  World.  PC  World  and  CIO  global  prod¬ 
uct  lines.  IDG  offers  online  users  the  largest  network  of 
technology-specific  sites  around  the  world  through 
IDG.net  (www.idg.net),  a  gateway  to  IDG's  330  websites 
powered  by  more  than  2,000  journalists  reporting  from 
every  continent  in  the  world.  IDG  also  produces  168 
technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelli¬ 
gence,  analysis  and  forecasts  in  43  countries. 


Paved  with  Good  Preparedness 

Be  prepared.  The  Boy  Scouts  have  espoused 
this  motto  for  decades,  and  it’s  time  the  rest 
of  us  caught  on.  One  reader  cites  “Avoiding 
the  Road  to  Perdition,”  March  2003,  and  his 
surprise  at  the  lack  of  corporate  travel  safety. 

AS  THE  RETIRED  MANAGER  OF  GLOBAL 

security  and  fire  protection  for  Ford  Motor 
and  as  a  retired  Secret  Service  agent,  I  was 
surprised  at  the  number  of  companies  that 
do  not  prepare  employees  with  travel 
awareness-related  information.  With  the 
activities  around  the  world,  and  potential 
for  an  event,  one  must  be  proactive  and 
provide  employees  with  travel  awareness 
and  preparedness  information. 

At  Ford,  there  is  an  extensive  system  to 


12  www.csoonline.com  June  2003 


Weighed  Down  by  Security  Data? 


With  neuSECURE™,  industry-leading  software 
from  GuardedNet,  you  can  transform  those 
mountains  of  raw  security  event  data  into  what 
you  really  need  -  knowledge  to  help  you  manage 
vour  organization’s  security  posture. 


f  Events  i 


neuSECURE:::  threat  management  process 


Firewalls 

IDS 

Routers _ 

Op  Systems 
Applications 
Others 
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neuSECURE  is  a  central  monitoring  system  for  log 
aggregation,  event  correlation,  threat  analysis, 
threat  response  and  forensic  investigation  of 
security  event  data  from 
firewalls,  IDS’,  hosts 
and  routers.  neuSECURE 
facilitates  real-time 
attack  detection  and 

response,  and  generates  a  wide  range  of 
reporting  options  for  operations,  management 
and  audit  compliance. 


For  a  free  white  paper  on  improving  your  security 
data  relevancy,  call  1-888-599-8297  or  visit 
www.guarded.net/logdataoverioad.htmi 


You  trust  the  rivets  to  hold  the 
44,000-ton  steel  skeleton  together. 

You  trust  the  skeleton  to  support 
three  miles  of  braided  cable. 

You  trust  the  cable  to  keep  you 
suspended  in  mid-air. 


Shouldn’t  you  feel  the  same 
way  about  the  security  of 
your  network  infrastructure? 


VeriSign*  Security  Services  address  a  range  of 
today's  business  concerns.  From  protecting 
your  network  and  applications  to  securing 
online  commerce  and  transactions.  So  now 
you  can  feel  as  confident  in  the  digital 


world  as  you  do  in  the  physical  one.  For 
more  information  visit  www.verisign.com 
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The  Value  ofTrustSM 


Security  Services 
ecommunication  Services 
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inform  employees  of  travel-related  infor¬ 
mation  and  areas  of  concern  around  the 
globe.  A  number  of  other  companies  do  the 
same.  I  am  an  alumni  member  of  the  U.S. 
State  Department’s  Overseas  Security 
Advisory  Council  (OSAC),  and  it  spent  a 
great  deal  of  time  developing  protocols  and 
providing  an  understanding  of  the  advisory 
system  and  awareness  information  within 
the  State  Department.  A  host  of  informa¬ 
tion  is  available  to  the  business  traveler  at 
www.state.gov.  Other  country-specific 
information  can  be  obtained  by  going  to 
the  OSAC  website  ( www.ds-osac.org ). 

Once  the  process  is  in  place,  employees 
will  use  it.  They  will  also  provide  feedback 
as  they  move  around  the  globe.  A  company 
must  acknowledge  that  it  has  a  responsi¬ 
bility  to  provide  information  to  traveling 
employees. 

RAD  JONES 

Academic  Specialist 

School  of  Criminal  Justice 

Michigan  State  University 

First  There  Were  Standards,  Then 
There  Were  More  Standards 

We  spent  some  space  detailing  security 
standards  in  March’s  “Guiding  Lite.”  But  we 
haven’t  finished.  This  reader  reminded  us 
that  the  discussion  is  ongoing. 

EXCELLENT  ARTICLE.  HOWEVER,  YOU 

failed  to  mention  that  the  insurance  indus¬ 
try  is  using  ISO  17799  compliance  as  the 
red  light/green  light  for  issuing  cyberpoli¬ 
cies.  As  one  of  the  leading  global  insurance 
brokers  for  this  line  of  insurance,  we  are 
intimately  familiar  with  the  ISO  standard 
and  the  underwriting  process.  Unfortu¬ 
nately,  we  have  encountered  too  many 
companies  that  have  applied  for  this  insur¬ 
ance  and  were  subsequently  declined 
because  of  a  failure  to  comply  with  ISO 
17799-  If  at  some  point  your  CFO  wants  to 
transfer  cyberrisk  to  insurance,  your  pro¬ 
fessional  standing  may  be  enhanced  if  you 
don’t  have  to  explain  why  your  organiza¬ 
tion  is  declined  for  insurance  when  it  does 


not  comply  with  this  (admittedly  flawed) 
standard.  If  you’re  going  to  expend  the 
time  and  resources  to  conduct  an  infosec 
assessment,  I  would  suggest  assessing 
against  this  benchmark.  The  insurance 
industry  is  in  position  to  put  this  into  place 
as  a  de  facto  standard.  Municipal  construc¬ 
tion  codes  evolved  in  a  similar  fashion 
from  insurance  industry  fire  and  safety 
requirements. 

PETER  SCHINDEL 

Vice  President  of  CyberRisk  Services 

Arthur  J.  Gallagher  V3  Co. 

Secure  Perceptions 

Our  editor  in  chief,  Lew  McCreary,  has  never 
paid  much  heed  to  armored  cars.  They  don’t 
make  him  feel  any  safer  than  his  Volvo  sta¬ 
tion  wagon.  But  they  might  make  you  feel 
safe.  And,  if  they  do,  maybe  you  should  own 
one.  Sometimes  the  perception  of  safety  is 
all  that  matters.  For  more,  read  his  letter, 
“I’m  in  an  Armored  State  of  Mind”  in  the 
May  issue.  This  reader  did,  and  he  got  the 
point  exactly. 

YOUR  EDITORIAL  CAPTURES  PER- 

fectly  the  need  for  holistic  CSO  views  and 
skill  sets.  Two  emerging  realities  exist  in 
today’s  security  climate.  At  Level  One,  we 
should  consider  doing  things  that  make 
people  feel  safe;  at  Level  Two,  considera¬ 
tion  for  things  that  actually  make  people 
safe.  Throw  out  the  metrics  when  the 
human  psyche  is  at  work  full-time.  Ever  try 
applying  metrics  to  diminish  human  fear? 
Silly  boy!  It’s  slightly  more  complex  than 
l’s  and  0’s. 

WILLIAM  M.  BESSE 

Director,  Corporate  Security 

Belo  Corp. 


We  want  to  hear  from  you 

E-mail  criticism,  thoughts  and  suggestions  to 
csoletters@cxo.com.  You  can  read  the  stories 
mentioned  in  these  letters  at  www.csoonline.com/ 
printlinks. 
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are  made  up  of  the  people, 
processes  and  technology 
necessary  to  best  secure  your 
infrastructure  for  your  business. 
By  actively  managing  the 
process,  we  take  on  the  com¬ 
plexity,  allowing  you  to  focus 
on  what’s  most  important 
building  your  business 


VeriSign"  Security  Services  include 

•  Authentication  Services 

•  Network  and  Security  Consulting 

•  Managed  Security  Services 

•  Payment  Services 

•  Secure  Enterprise  Application  Integration 


To  learn  more  about  our 
Managed  Security  Services, 
including  an  analysis  of  the  key 
trends  in  customer  adoption, 
download  “VeriSign’s  Foundation 
in  Managed  Security  Services”  at 

www.verisign.com/dm/mss 
Or  call  (650)  426-5310. 
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The  Value  of  Trust 
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It’s  not  a  subject  most  security  companies  address.  But  ADT  takes  the  growth  of  your  business  very  seriously.  That’s  why  we  work  hard  to 
understand  your  business  situation.  Because  only  then  can  we  provide  integrated  system  solutions  that  can  not  only  help  protect  your 
company,  but  can  also  help  secure  its  growth.  Solutions  like  remote  video,  which  can  be  a  valuable  tool  for  creating  a  safer  environment 
and  improving  employee  retention.  Or  surveillance  systems  that  also  help  manage  and  merchandise  inventory.  For  a  complete  scope  of 
system  solutions  like  these,  visit  ADT.com.  Better  yet,  call  us  at  1-877-258-6424  and  make  an  appointment  with  an  ADT  representative  to 
discuss  your  needs.  You  may  find  that  the  aspect  of  your  business  we’re  best  equipped  to  secure  is  its  future.  ADT.  Always  There®. 
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News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


Above  the  Law? 


LEGAL  MATTERS  Chief  information 
security  officers  are  frequently  called 
upon  to  draft  information  security  poli¬ 
cies.  But  who  polices  the  security  execu¬ 
tives?  One  CISO  in  Santa  Clara  County, 

Calif.,  is  about  to  find  out. 

CISO  Peter  Ekanem  was  put  on 
administrative  leave  after  an  internal 
investigation  concluded  he  had  violated 
the  county’s  IT  policies.  In  many  cases, 
the  rules  that  Ekanem  is  accused  of 
breaking  are  ones  he  wrote. 

Among  other  things,  Ekanem 
allegedly  used  his  e-mail  account  to 
transfer  copies  of  county  contract  pro¬ 
posals  to  a  former  employee  in  Ghana. 

Those  documents  contained  detailed 
information  on  the  county’s  information 
technology  “footprint,”  which  hackers 
could  have  used.  In  addition,  Ekanem  allegedly  used  his  county-supplied  cell  phone  as  a  contact 
number  for  tenants  in  property  he  rented,  and  his  county-supplied  computer  to  pursue  a  master’s 
degree  online  during  work  hours. 

The  district  attorney’s  office  is  still  reviewing  the  facts  of  the  Ekanem  case.  The  district  attorney 
determined  that  the  44-year-old’s  actions  violate  Section  502  of  the  California  Penal  Code,  which 

makes  it  illegal  to  copy,  use,  send  or  disseminate  internal 
county  information  outside  the  network.  What  is  still  up  for 
debate  is  whether  administrative  or  criminal  sanctions  will 
be  imposed.  “The  real  question  is:  Was  the  material  some¬ 
thing  that  should  have  been  property  of  the  county  and  not 
shared?  And  how  much  damage  was  done  by  disseminating 
it?”  says  Jim  Sibley,  head  of  the  High  Technology  Crime 
Unit  at  the  Santa  Clara  County  District  Attorney’s  Office. 
According  to  allegations,  Ekanem  violated  many  of  the 
information  security  policies  he  drafted  for  the  county, 
including  one  stating  that  all  information  handled  by 
county  employees,  regardless  of  form  or  format,  belongs  to 
the  county  and  should  be  protected  as  an  asset. 

If  allegations  are  true,  Ekanem  also  betrayed  policies  he 
drafted  that  prohibit  the  use  of  the  county’s  Internet  connec¬ 
tion  or  e-mail  system  for  personal  profit,  including  outside 
business  transactions. 

“These  policies  are  common  sense  and  widely  recognized  as 
best  practices  in  the  industry,”  Sibley  says.  -Paul  Roberts 


CSO  SECURITY  CHECK 


What’s  your  level  of  job 
security? 


18% 

Somewhat 
ifident 

33% 

Very  confident 


Half  of  you  said  you  are  not  secure  in  your  job. 
To  gain  that  confidence,  check  out  our  special 
report  on  the  CSO  role  starting  on  Page  30. 


Target 
Terrorism 


GOVERNMENT  This  spring, 
politicians  across  the  country  were  jockey¬ 
ing  for  an  unlikely  distinction:  a  top  spot  on 
a  list  of  likely  terrorist  targets.  The  prize  for 
the  winners?  A  bigger  piece  of  federal 
antiterrorism  funding. 

In  New  York,  politicians  were  outraged 
that  of  the  $600  million  in  antiterrorism 
funding  in  the  proposed  federal  2003 
budget,  the  state  would  get  just  $26.5  mil¬ 
lion,  or  $1.40  per  resident,  compared  with  a 
national  state  average  of  $3.29  per  person. 
“New  York  City  doesn't  ask  for  a  share  of 
Idaho’s  farm  subsidies,”  Sen.  Charles 
Schumer  (D-N.Y.)  complained  to  The  New 
York  Times.  “They  shouldn’t  try  to  grab  a 
share  of  our  high-risk,  antiterrorism  fund¬ 
ing."  (At  press  time,  funding  details  were 
still  up  for  debate  in  committee.)  In  Boston, 
politicians  felt  downright  snubbed  by  a 
$100  million  federal  fund  being  dispersed  as 
part  of  a  new  Urban  Area  Security  Initiative. 
“I  find  it  remarkable  that  Boston  was  not 
on  the  list  of  cities  to  receive  additional 
funding  from  the  Department  of  Homeland 
Security  for  its  unique  challenges  posed  by 
the  threat  of  domestic  terrorism,”  Sen. 
Edward  Kennedy  (D-Mass.)  told  The  Boston 
Globe. 

Meanwhile,  the  vice  mayor  of  San  Jose, 
Calif.,  seems  to  have  an  underdog  complex 
about  the  fact  that  San  Francisco  got  a 
$10.7  million  slice  of  that  same  pie,  while 
San  Jose  got  nothing.  “Although  we  have 
not  been  told  San  Jose  is  in  that  tier,  we 
certainly  meet  the  qualifications,"  Pat 
Dando  told  the  San  Jose  Mercury  News. 

As  far  as  we  know,  no  one  stepped 
forward  to  claim  the  distinction  of  being 
a  safe  state  or  city  to  live  in.  But  that’s 
budget  season  for  you. 

-Sarah  D.  Scalel 


ILLUSTRATIONS  BY  MICHAEL  MILLER 


June  2003  www.csoonline.com  17 


DISASTER  RECOVERY 


Lessons  from  a  Disaster 

JULIAN  MORRIS,  senior  vice  president  and  director  of  IT  for  DraftWorldwide, 
experienced  service  disruptions  and  downtime  after  attempting  to  merge  three 
disparate  systems  corrupted  by  the  Nimda  virus.  Morris  learned  valuable  disaster 
recovery  (DR)  lessons  in  the  process.  Here  are  his  top  10  lessons  learned. 


1 


Be  prepared.  Test  sys¬ 
tems  and  define  every 
detail  of  your  network. 


2  Plan  as  if  your  IT  peo¬ 
ple  will  be  unavailable. 

Have  a  DR  plan  that  is 
so  detailed  an  average 
person  could  recover  your 
systems  without  the  IT  staff. 

3  Prioritize.  Have  a  list 
of  tasks  that  are  pivotal 
to  getting  operations  up 
when  a  catastrophic  event 
occurs. 

4  Pick  your  team  care¬ 
fully.  “  Disaster  recov¬ 
ery  team  members  are 
appointed-they  aren’t  volun¬ 
teers,”  says  Morris.  Choose 
folks  who  work  well  under  ex¬ 
treme  pressure. 

5  Develop  information¬ 
gathering  templates. 

Predesigned  impact  and 
damage  assessment  checklists 
and  recovery  site  equipment 


checklists  will  aid  in  quick 
restoration  of  mission-critical 
data.  Morris  has  copies  of  his 
DR  plan  on  paper,  in  electronic 
form,  on  CDs,  in  PDFs,  offsite 
in  a  storage  facility  and  in  the 
homes  of  DR  team  members. 

6  Have  a  well-defined 
communication  plan. 

If  phone  lines  are  down, 
you  need  to  have  alternate 
means  of  communication. 
Consider  two-way  pagers, 
cell  phones,  wireless  mobile 
devices  and  a  toll-free  voice 
mail  service  that  you  can  call 
from  the  outside  on  a  pay 
phone  if  necessary. 

7  Know  who  your  stars 
are.  Identify  the  core 
10  percent  of  your 
staff-the  people  you’ll  trust  to 
maintain  operations  while  you 
run  in  recovery  mode.  That 
includes  employees  in  HR, 
accounting  and  IT. 


8  Manage  user  expecta¬ 
tions.  Employees  will 
want  frequent  updates. 
Morris  has  a  12-step  DR  guide 
with  system  recovery  as  the 
12th  step.  He  has  a  time  frame 
assigned  to  each  step  so  that 
he  can  tell  users  where  he  is 
within  the  12  steps  and  when 
they  can  expect  recovery. 

9  Remind  users  that 
there  was  life  before 
the  Internet.  When  his 
e-mail  systems  were  down, 
Morris’s  users  assumed  they 
couldn’t  do  their  work,  but  they 
still  had  fax  machines,  couriers 
and  Kinko’s.  He  suggests  run¬ 
ning  a  test  that  will  force  users 
to  resort  to  pre-Internet  days. 

gm  Check  the  pulse 

II  |  °*  y°ur  staff-  The 

tMtKJ  pressure  felt  during 
a  DR  operation  can  be  over¬ 
whelming.  Check  in  with  your 
employees  regularly. 

-Kathleen  Carr 


Disaster  Recovery  Spending 
by  Industry  in  2002 

SINCE  MID-2002,  Gartner  has  seen  DR  spending 
levels  begin  to  rise.  It  expects  higher  spending  on  DR 
and  business  continuity  to  continue  through  2005. 
Enterprises  have  begun  to  recognize  the  role  of  DR 
within  their  business  continuity  plan  as  part 
of  a  larger  risk  management  strategy. 

Percent  of  Data  Center  Budget  Spent  on  DR 
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SOURCE:  GARTNER  MEASUREMENT  DATABASE 


DEPARTMENT  OF  HOPEFULLY  WE’VE  LEARNED 

In  2000,  GAO  investigators  disguised  as 

plainclothes  officers  showed  fake 
badges  and  gained  access  to  two 
major  commercial  airports  and 
19  federal  buildings  including  the 
CIA,  the  FBI,  the  Justice  Department 
and  the  Pentagon. 

SOURCE:  GAO  REPORT.  "SECURITY:  BREACHES  AT  FEDERAL  AGENCIES  AND  AIRPORTS."  MAY  25.  2000 
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Salaries  in  the  Balance 


COMPENSATION  When  it  comes  to  salary,  privacy  experts  get  their  fair  share 
when  compared  with  many  other  professions  outside  of  security,  earning  a  mean  salary  of 
$101,146.  But  within  the  privacy  profession  itself,  wide  disparities  in  compensation  persist. 

According  to  a  recent  salary  study  by  the  International  Association  of  Privacy  Profes¬ 
sionals  (IAPP)  and  the  Ponemon  Institute,  more  than  70  percent  of  respondents  reported 
earning  anywhere  from  $60,000  to  $150,000.  On  the  low  end,  privacy  professionals  who 
work  in  the  health-care  industry— 56  percent  of  the  respondents— earn  10  percent  to 
15  percent  less  in  total  compensation  than  their  privacy  peers  in  telecommunications, 
financial  services  and  manufacturing.  Of  all  the  privacy  professionals  surveyed,  more  than 
half  with  job  descriptions  that  involved  data  protection  earned  less  than  those  with  jobs 
that  focused  strictly  on  privacy. 

“The  2003  Privacy  Professional  Salary  Survey  Report”  is  based  on  information  from 
207  privacy  professionals.  The  respondents  hold  titles  that  range  from  chief  privacy  officer 
to  compliance  officer. 

A  number  of  factors  could  be  responsible  for  the  inconsistencies  in  compensation, 
according  to  Trevor  Hughes,  executive  director  of  the  IAPP.  Federal  regulations  such  as 
the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  demand  that  health¬ 
care  companies  employ  more  privacy  officers  to  deal  with  compliance  issues.  And  those 
privacy  officers  are  compensated  at  a  junior  level. 

In  addition,  dedicated  privacy  experts  are  a  relatively  new  phenomenon.  As  a  result, 
companies  have  very  little  outside  information  or 


precedent  on  which  to  rely  when  setting 
compensation.  To  compare  the  salaries  of  chief  privacy  officers  with  the  salaries  of  CSOs, 
read  “Coming  of  Wage”  on  Page  32.  -Paul  Roberts 


A  Standard  Identity 


REGULATIONS  If  the  federal 

' 

government  has  its  way,  transportation 
workers  will  soon  be  carrying  more  than 
cargo— they'll  also  have  to  tote  new  iden¬ 
tity  cards.  The  Transportation  Safety 
Administration  (TSA)  is  about  to  begin 
testing  what  it  calls  a  Transportation 
Worker  Identity  Credential  (TWIC),  a  card 
that  the  TSA  wants  every  employee  in  the 
transportation  industry— from  truckers 
and  airport  baggage  loaders  to  dock  work¬ 
ers— to  carry.  The  cards  may  contain  per¬ 
sonal  information  and  biometric  finger¬ 
print  data  that  will  make  them  difficult  to 
forge  or  use  if  stolen.  The  TWIC  is  meant 
to  replace  the  various  methods  of  identifi¬ 
cation  used  by  individual  ports,  says 
Robert  Johnson,  a  TSA  spokesman. 

This  summer  the  TSA  plans  to  test  a 
variety  of  cards  at  the  Port  of  Los  Angeles 
in  Long  Beach,  Calif.,  and  the  ports  of 
Philadelphia  and  Wilmington,  Del.  If  the 
testing  goes  well,  the  cards  could  go 
nationwide  as  early  as  next  year,  says 
Johnson. 

Identity  cards  have  emerged  as  a  hot- 
button  issue  in  the  shipping  industry. 
Some  opponents  fear  the  TWIC  is  the  first 
step  toward  a  national  ID  card,  while  oth¬ 
ers  are  opposed  to  anyone  having  a  data¬ 
base  of  personal  information.  At  least  one 
company,  the  Liberian  International  Ship 
and  Corporate  Registry  (LISCR),  has  insti¬ 
tuted  its  own  biometric  ID  card  in  advance 
of  the  TSA  mandate.  LISCR,  based  in 
Vienna,  Va.,  functions  like  a  registry  of 
motor  vehicles  for  2,000  cargo  and  luxury 
vessels.  It  sees  its  cards  as  a  way  to 
improve  maritime  identification  practices 
and  as  a  tool  in  the  fight  against  terror¬ 
ism,  says  Scott  Bergeron,  chief  operating 
officer  of  LISCR.  Like  the  TSA’s  cards, 
LISCR's  IDs  will  use  biometric  fingerprint 
data,  as  well  as  digitized  photographs  of 
the  cardholder  and  encoded  personal 
information.  LISCR  is  testing  the  cards 
with  2,000  of  its  individual  members  and 
hopes  to  roll  the  IDs  out  to  all  of  them  by 
the  end  of  2003. 

-Simone  Kaplan 
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Call  Ambiron  toll  free  at 


1-877-262-4766 

to  discuss  your  security  needs. 


www.ambiron.net  •  info@ambiron.net 


Protect  your  information  and  your  business 
with  the  latest  Nokia  technology  from  Ambiron. 

Ambiron  is  an  independent  information  security  advisory 
firm  that  develops  and  delivers  cutting-edge  information 
security  solutions  that  mitigate  risk  and  enhance  the 
bottom  line.  Our  Enterprise  Security  Advisors  work 
hand-in-hand  with  in-house  staff  to  deploy  the  latest 
information  security  technologies  to  help  companies 


across  North  America  achieve  their  business  goals. 
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Chicago  •  Dallas  •  Los  Angeles 


Ambiron 

Enterprise  Security  Advisors 


ASIS 

Speaks  Up 


THE  CSO  ROX.E  The  first  people  with 
"Chief  Security  Officer”  stamped  on  their 
business  cards  were  almost  exclusively  in 
the  information  security  realm.  Now  corpo¬ 
rate  security  pros  have  decided  they  aren’t 
letting  go  of  that  title  without  a  fight.  Re¬ 
cently  ASIS,  the  33,000-member  American 
Society  for  Industrial  Security,  decided  to 
weigh  in,  tasking  its  Guidelines  Commission 
to  create  a  formal  CSO  job  description 
including  security  and  risk  management 
duties  of  all  sorts.  Two  ASIS  leaders— Don 
Walker,  chairman  and  CEO  of  Pinkerton 
Security  &  Investigations  and  president  of 
ASIS,  and  Chad  Callaghan,  vice  president  of 
loss  prevention  for  Marriott  International  and 
cochair  of  the  commission— spoke  to  CSO 
Executive  Editor  Derek  Slater  about  the 
process  of  developing  the  job  description. 

Don  Walker,  CEO  of  Pinkerton  Security  & 
Investigations:  Frankly,  there  are  very  few 
chief  security  officers  out  there.  A  number  of 
high-level  security  positions  exist,  and  the 
function  of  CSO  is  being  elevated  all  the  time, 
but  the  concept  of  a  chief  security  officer  at 
the  same  level  as  a  COO  or  a  CFO  hasn’t 
caught  on  yet.  We  are  seeing  lots  of  VP-  and 
director-level  titles  that  afford  broader 
responsibilities  than  that  level  would  typically 


demand.  But  I  think  there’s  confusion  as  to 
what  and  who  the  CSO  is  or  could  be.  In  addi¬ 
tion,  the  turf  wars  within  organizations  blur 
the  line  between  top  executives. 

We  want  to  advise  the  major  recruiting 
firms  that  are  accustomed  to  dealing  with 
top  level  executive  recruiting— the  Heidrick  & 
Struggles,  the  Boydens.  We  also  want  to 
make  their  clients  aware  of  the  qualities  they 
should  look  for  in  a  CSO.  At  the  same  time, 
we  need  to  reach  the  people  who  are  partici¬ 
pating  now  at  various  levels  in  security  or 
protection  of  assets  and  who  want  to  under¬ 
stand  what  a  CSO  is  and  how  to  become 
one  if  they're  not  one  now. 

One  of  the  shortfalls  in  the  security  indus¬ 
try— as  in  every  industry— is  turf  wars.  If  we’re 
going  to  have  guidelines  that  develop  into  a 
true  consensus  standard,  we’ve  got  to  involve 
everyone  in  the  process.  Right  now,  we  have 
lawyers,  educators  and  people  with  corporate 
and  consulting  experience  on  the  commis¬ 
sion.  We’ll  work  with  them  to  get  the  best 
draft  document  and  then  circulate  it  outside 
for  comment. 

We’ve  got  to  be  careful  that  we  don't 
identify  a  stereotypical  CSO.  For  example,  we 
don’t  want  the  ex-military  or  ex-police  officer 
to  think  they  automatically  have  everything 
they  need  to  be  the  CSO,  nor  do  we  want  the 
CISO  thinking  that  either. 

Chad  Callaghan,  vice  president  at  Marriott 
International:  Two  different  worlds 
exist  in  the  realm  of  security:  one  is 
generally  called  information  resource 
security  and  the  other  is  enterprise 


security  or  operations  security.  We  think  a 
CSO  should  carry  responsibilities  in  both  of 
those  areas. 

So  we  must  first  clarify  the  role  of  the 
CSO.  Both  the  executives  outside  the  security 
function  and  those  within  need  this  clarity.  I 
think  there’s  an  underlying  premise  that  some 
people  from  the  operations  side  believe  their 
role  is  much  broader  than  the  information 
side.  And,  of  course,  there  are  some  within  the 
information  side  who  don’t  understand  or  rec¬ 
ognize  the  operations  side.  In  describing  the 
CSO  role,  you  may  never  satisfy  everybody, 
but  you  could  satisfy  the  majority  in  both 
groups. 

Part  of  the  challenge  is  that  people  who 
have  grown  up  on  the  operational  side  have 
not  had  a  great  deal  of  exposure  to  the  infose- 
curity  issues,  and  vice  versa.  Quite  frankly, 
since  the  operational  side  was  around  earlier 
than  the  information  side,  we’ve  failed  to 
grasp  the  enormity  of  information  security 
and  develop  people  to  rise  to  that  challenge 
as  experts.  If  there’s  going  to  be  a  CSO  posi¬ 
tion  out  there,  somehow  we  have  to  figure 
out  how  to  encompass  both  of  those  fields 
into  one. 

We  want  to  be  broad-based  in  our 
approach  to  developing  these  guidelines, 
or  people  won't  accept  them.  Once  you  set  a 
standard,  you  could  ram  it  down  everyone’s 
throat.  But  they  won't  be  worth  anything 
unless  people  accept  and  use  them.  ■ 


WHAT  YOUR  PEERS  ARE  SAYXNC  ABOUT  YOU 

“Do  C-level  execs  even 
want  the  CSO  as  &  peer? 
The  other  executives  don  t 

HSP-1 


-DAVID  JORDAN,  INFORMATION  SECURITY  AND 
PRIVACY  OFFICER  OF  ARLINGTON  COUNTY,  VA. 
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ARE  YOU  PAYING  TO  PROTECT  THE  WRONG  ASSETS? 


Some  information  assets  on  your  network  are  more  valuable  than  others.  So  how  can  you  protect  your 
most  important  assets  from  the  most  critical  threats?  Introducing  Foundstone  Enterprise™  — 
the  first  enterprise-level  software  solution  that  reaches  into  every  corner  of  your  network  to 
discover  all  your  assets,  accurately  identify  threats  and  vulnerabilities,  and  decisively  eliminate  them. 
Foundstone  software  and  solutions  are  already  protecting  the  mission-critical  assets  of  many  of  the 
world's  leading  enterprises  and  government  agencies.  Find  out  how  to  get  the  most  formidable 
protection  for  a  finite  budget.  Call  1-877-91-FOUND.  Or  go  to  www.foundstone.com/csol 
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The  Who,  What  and  Why  of  Washington 


Top  Billing 


NEWS  FROM  INSIDE  THE  BELTWAY 


Now  Clear  This 

The  government  works  to  quicken  the  pace  of  security  clearance 

By  Julie  Hanson 


N  THE  2004  BUDGET,  President 
Bush  has  earmarked  more  than  $123  billion 
for  R&D  funding  for  technological  innova¬ 
tion,  giving  private  industry  the  opportunity 
to  earn  dollars  from  the  government  in  a  tight 
economy. 

That  could  be  good  news 
for  your  business.  But  work¬ 
ing  with  government  agen¬ 
cies  requires  obtaining 
security  clearances— a 
lengthy,  detail-orientated 
task  that  could  take  months 
to  accomplish.  The  Office  of 
Personnel  Management 
(OPM)  is  trying  to  stream¬ 
line  the  process. 

OPM  conducts  more  than 
2  million  security  clearance 
investigations  every  year— so 
anyone  looking  for  govern¬ 
ment  clearance  is  often  left 
waiting  until  someone  there  can  process 
the  paperwork. 

OPM  is  betting  that  the  Internet  can 
change  all  that.  Instead  of  its  traditional 
paper-based  forms,  the  office  is  launching  a 
13-page  online  application  form— called 
e-Qip— for  both  prospective  job  applicants 
and  R&D  project  workers.  The  form  must  be 
completed  in  order  for  them  to  obtain  any 
level  of  security  clearance  in  the  United 
States.  It  is  able  to  question  an  applicant’s 
background  with  a  lot  more  detail  than  its 
paper-based  predecessor. 

In  addition  to  the  faster  turnaround  time 
for  applicants,  the  online  form  will  save  OPM 
the  time  it  takes  to  receive  and  process  paper 
documentation  and  the  space  needed  to  store 
those  documents,  says  OPM  E-Government 
Program  Director  Norm  Enger. 

Placing  the  security  clearance  document 


online  is  only  the  first  step.  “Once  a  person 
gains  clearance,  the  government  can  now 
form  an  electronic  record  that  will  follow 
them  from  government  job  to  government 
job,”  says  Enger.  And  since  agencies  must 
constantly  update  personnel  records,  OPM 
will  have  current  and 
detailed  information  on 
the  1.8  million  employees 
and  contract  workers  in 
the  government. 

In  addition  to  e-Qip, 
OPM  has  developed  the 
Clearance  Verification 
System,  which  integrates 
information  from  security 
clearance  investigations 
and  the  Department  of 
Defense’s  Joint  Personnel 
Adjudication  system. 
Now,  Enger  says,  that 
ability  to  collaborate 
across  departments  creates  a  central  storage 
location  for  information  on  who  is— and  who 
is  not— cleared  to  work  with  government 
agencies  and  the  militaiy. 

“Now  we  have  a  dramatic  improvement 
in  accessibility  to  information  on  civilian 
clearances,”  says  Enger.  The  OPM  expects 
the  entire  project  will  save  the  government 
$258  million  during  the  next  10  years. 

Other  initiatives  at  the  Office  of  Personnel 
Management  include  e-Training— Web-based 
courses  for  federal  employees— which  is 
housed  on  the  Government  Online  Learning 
Center  ( www.golearn.gov ).  The  site  offers 
more  than  3,000  courses  with  46,000  regis¬ 
tered  users  from  40  government  agencies.  In 
addition,  Enger  says  OPM  is  in  the  process  of 
consolidating  the  payrolls  of  22  agencies,  with 
an  expected  savings  of  more  than  $1.2  billion 
in  the  next  two  years.  ■ 


According  to  The  White  House 

Bulletin,  Howard  A.  Schmidt,  the 
White  House  adviser  on  cybersecurity, 
sent  an  e-mail  to  friends  and  coworkers 
announcing  that  he  planned  to  resign 
and  return  to  the  private  sector.  He 
later  announced  he  had  accepted  a 
position  as  vice  president  of  security  for 
eBay.  Schmidt’s  e-mail  also  stated  that 
he  would  be  working  with  Robert  Lis- 
couski,  the  assistant  secretary  of  infra¬ 
structure  protection  at  the  Department 
of  Homeland  Security,  on  a  transition. 

The  Palo  Alto  Research  Center  received 
$3.5  million  to  research  the  controver¬ 
sial  Total  Information  Awareness 
project,  a  program  designed  to  build  a 
massive  database  to  predict,  track  and 
preempt  terrorist  attacks  by  scouring 
databases  from  credit  card  usage  to 
online  activity.  The  contract  was 
awarded  by  the  Air  Force  Research 
Laboratory  Information  Directorate. 

The  White  House  has  named  John 
0.  Brennan,  a  23-year  veteran  of  the 
CIA,  as  director  of  the  Terrorist 
Threat  Integration  Center.  The 
TTIC's  mission  is  to  fully  integrate  all 
U.S.  government  terrorist  threat-related 
information  and  analysis  and  to  share 
that  information  across  various  depart¬ 
ments,  including  the  Department  of 
Homeland  Security,  the  Department 
of  Defense  and  the  FBI’s  Counter¬ 
terrorism  Division. 

The  Bureau  of  Citizenship  and 
Immigration  is  now  accepting  appli¬ 
cations  for  immigration  benefits  online, 
including  the  renewal  or  replacement 
of  a  green  card  and  applications  for 
employment.  After  filing  online,  appli¬ 
cants  later  come  in  to  a  support  center 
for  the  electronic  collection  of  a 
photograph,  signature  and  fingerprint. 


For  more  about  what’s  happening  in 
Washington,  D.C.,  visit  our  website  at 

www.csoonline.com/wonk. 
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Not  with  us  it  isn't. 


We  see  management 
a  little  differently 
from  the  other  guys. 


►► 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows. ..or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 

CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability 
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Work  Smarter® 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
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Security  Counsel 


Facilitating  Security 

Robert  Bosco,  VP  of  security  operations  at  architecture  firm 
HDR,  answers  readers’  questions  about  security  assessments 


Q:  How  can  I  create  a  safe  environment  without  creating  a  lockdown  feeling? 

A:  Unfortunately,  in  many  buildings,  security  is  considered  an  afterthought. 
The  building  is  built,  and  a  security  company  is  then  asked  to  add  security  to  a 
building.  Security  in  this  scenario  usually  takes  the  form  of  CCTV,  access  con¬ 
trol  and  weapons  screening  that  appears  to  have  been  added  as  an  afterthought 
and  is  usually  obtrusive,  which  creates  that  lockdown  feeling. 

We  consider  security  in  the  early  phases  of  a  building’s  design.  For  exam¬ 
ple,  if  a  facility  is  built  along  a  parking 
lot  or  roadway— if  a  vehicle  can 
approach  it  unimpeded— that  facility  is 
vulnerable  to  vehicle  attack.  This  usu¬ 
ally  results  in  security  folks  placing 
jersey  barriers  around  the  building  to 
keep  vehicles  at  a  safe  distance,  which  is 
an  effective  but  obtrusive  solution.  A 
solution  during  design  would  be  to  pro¬ 
vide  as  much  set-back  distance  from  a 
facility  to  parking  lots  and  roadways  as 
possible,  and  then  design  tiered  or  ter¬ 
raced  landscaping  to  prevent  vehicle 
access.  A  solution  to  reduce  the  need  for 
video  cameras  during  design  would  be 
to  provide  better  lines  of  sight  so  that 
personnel  could  see  without  cameras. 

[For  more  on  security  design,  see 
“Hidden  Strengths”  and  “The  Architect” 
in  the  May  issue.] 

In  existing  facilities,  the  same  principles  can  be  employed.  However,  they 
may  cost  more  to  implement  because  they  have  to  be  retrofitted  to  the  building. 

Q:  What  are  security  penetration  exercises? 

A:  A  security  penetration  exercise  is  a  physical  test  to  see  if  the  security  at  your 
facility  is  effective  against  intrusion  or  other  threats.  This  provides  your  facility 
with  a  true-to-life  scenario  to  test  your  system  or  personnel.  I  have  conducted 
these  exercises  with  members  of  my  group.  The  organizations  and  facilities  we 
have  penetrated  were  able  to  see  how  effective  their  systems  and  staff  were  in 
a  real  situation.  An  important  part  of  the  exercise  is  the  debriefing  that  you 
have  with  the  facility  staff  to  identify  deficiencies  and  lessons  learned  and  make 
recommended  improvements.  I  suggest  that  you  have  trained  consultants 
conduct  the  exercises  rather  than  conducting  them  yourself. 
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Q:  How  can  I  stay  current  when  there  are  new  security 
products  on  the  market  every  week? 

A:  The  latest  and  greatest  security  products  are 
usually  advertised  in  security  periodicals.  You  become 
dependent  on  advertising  hype  to  determine  the  tech¬ 
nology’s  applicability  to  your  facility.  Trade  shows  such 
as  the  ASIS  International  convention  allow  you  to  see 
the  product  work  in  the  controlled  environment  of  a 
convention  hall.  Having  a  vendor  come  to  your  facility 
to  show  you  a  product  is  another  way  to  determine 
what  is  applicable  to  your  facility.  However,  vendors 
are  salesmen  with  a  vested  interest  in  their  products. 

All  of  these  methods  have  their  pitfalls.  The  best  way 
to  know  that  you’re  getting  the  latest  and  greatest  tech¬ 
nology  is  to  hire  an  experienced  security  design  con¬ 
sultant— who  does  not  have  a  vested  interest  in  any  one 
product.  This  person  can  provide  an  integrated  design 
for  CCTV,  access  control,  intrusion  detection,  duress 
alarms  and  intercom  systems.  Overall,  you’ll  need  a  sys¬ 
tem  that  is  not  proprietary,  is  user-friendly  and  can  be 
expanded  or  replaced  with  the  products 
that  will  be  on  the  market  tomorrow. 

Q:  Are  there  some  general  rules  of  thumb 
that  speak  to  the  number  of  front  desk  or 
lobby  guards  as  a  ratio  to  the  number  of 
building  occupants? 

A:  There  is  no  clear-cut  answer,  but 
there  are  some  rules  of  thumb.  If 
weapons  screening  occurs  at  your  build¬ 
ing,  then  a  person  is  needed  at  each 
metal  detector  and  X-ray  unit,  plus  one 
additional  person  to  do  secondary 
searches  when  someone  sets  off  the 
metal  detector. 

If  weapons  screening  does  not  occur 
at  your  facility,  and  the  occupants  of  the 
building  are  much  like  the  population  of 
the  community  in  which  you  are  located, 
you  should  contact  your  local  law  enforcement  agency 
and  ask  them  the  ratio  of  law  enforcement  officers  to 
citizens.  It  will  be  given  to  you  per  capita  or  in  officers 
per  1,000  population.  Add  to  that  amount  the  number 
of  personnel  that  occupy  your  central  security  monitor¬ 
ing  station.  These  individuals  should  not  be  included  in 
your  staffing  number.  Their  focus  should  be  to  monitor 
the  security  systems  of  the  building.  ■ 

*  Have  a  security  topic  to  suggest  or  an  expert  you'd  like  to 
hear  from?  Send  your  thoughts  to  Assistant  Managing  Edi¬ 
tor  Kathleen  Carr  at  kcarr@cxo.com.  Go  online  to  see  what 
your  peers  are  discussing  at  www.csoonline.com/counsel. 
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using  FreeMap,  a  new  free  service  from  Qualys. 
Register  now  at  freemap.qualys.com. 


Qualys  FreeMap  is  a  web-based  service  that  lets  you  discover  devices,  identify  their  operating 
systems  and  create  a  visual  topology  of  your  entire  network.  There's  no  software  to  install  or 
maintain,  making  it  easy  to  identify  and  monitor  all  your  network  entry  points,  including  routers, 
VPN  servers  and  wireless  access  points.  Qualys  FreeMap  also  enables  you  to  query  DNS  records 
so  you  can  identify  obsolete  or  rogue  devices. 

Take  advantage  of  this  valuable  service  before  someone  takes  advantage  of  your  network. 


For  product  information,  call  toll-free  1-800-745-4355.©  2003  Qualys,  Inc.  All  Rights  Reserved. 


Flashpoint 


Diversity  Training 

Homogenous  network  environments  have  bred  unprec¬ 
edented  levels  of  convenience  and  efficiency  in  new 
technology.  They’ve  also  created  mass  vulnerability. 

By  David  H.  Holtzman 


N  1980,  THE  WORLD  HEALTH  Organization  declared  smallpox  erad¬ 
icated.  However,  by  the  end  of  this  year,  millions  of  health-care  personnel  and 
other  first-responders  will  have  to  be  immunized  against  smallpox.  How  does  an 
allegedly  extinct  disease  become  a  national  risk  20  years  later?  Because  the  lack 
of  vaccination  has  homogenized  the  same  vulnerability  into  a  large  percentage  of 
the  population.  And  once  a  virus  starts,  it’s  hard  to  stop  it. 

This  idea  is  just  as  relevant  to  communities  of  computers  as  it  is  to  people,  and 
it  illustrates  an  unappreciated  principle  of  systems  in  general  and  networks 
in  particular— diversity.  Diversity  in  computer  platforms  can 
prevent  viruses  from  taking  over. 

But,  in  truth,  a  large  percent  of  the  population 
does  use  the  same  computer  platform.  The  antitrust 
case  against  Microsoft  was  meant  to  protect  free 
trade,  but  an  argument  could  be  made  that  the  gov¬ 
ernment  should  also  take  steps  to  protect  techno¬ 
diversity  for  security’s  sake.  Even  a  benevolent 
monopoly  is  dangerous  because  it  becomes 
indispensable.  If  a  virus  or  worm  targets  those 
ubiquitous  systems,  we  are  all  affected  because 
there  is  no  vaccinated  population  able  to  with¬ 
stand  the  attack. 

Standardization,  for  all  its  benefits,  is  insidious 
because  it  enables  virulent  attacks  to  spread  every¬ 
where  through  common  communications  protocols, 
faster  than  an  open-mouthed  sneeze  in  Grand  Cen¬ 
tral  Station  at  rush  hour. 

Exacerbating  this  problem  are  convenience  features 
built  upon  a  homogenized  computer  environment,  such  as 
patching.  Patching  software  used  to  be  a  low-priority  task  for  adminis¬ 
trators;  it  was  common  to  see  different  releases  of  programs  running  side 
by  side.  It  might  have  been  a  little  bit  of  an  administrative  headache,  but  it  actu¬ 
ally  worked  as  a  benefit  to  a  network’s  immune  system— one  system  might  get 
infected  by  a  virus  while  another  did  not. 

Unfortunately,  today’s  applications  upgrade  themselves  automatically.  Bugs, 
glitches  and  holes  that  would  have  affected  only  early  adopters  or  a  few  comput¬ 
ers  on  a  network  can  now  become  an  epidemic  before  they’re  even  spotted.  The 
convenience  of  automation  has  led  to  uniformity,  and  uniformity  in  turn  has 
enabled  mass  exposure  to  viral  threats. 

Diversity  creates  a  natural  firebreak  for  computers.  I  have  never  seen  a  virus  that 
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can  infect  both  Linux  and  Windows  boxes,  and  only  a  few 
can  cross  between  Macs  and  PCs.  In  fact,  the  earliest 
warning  of  a  network  attack  is  often  a  log  entry  caused  by 
one  such  system  rejecting  a  virus  even  as  the  other  system 
is  infected. 

I’m  not  advocating  that  companies  create  fully  redun¬ 
dant  hardware  and  software  environments.  That,  of  course, 
is  not  cost-feasible.  On  the  other  hand,  it’s  good  practice 
to  be  wary,  in  general,  of  single  points  of  failure,  whether 
hardware,  software  or  human.  Single-vendor  solutions 
will  always  create  such  a  weakness.  What’s  more,  homo¬ 
geneity  encourages  sloppy  internal  practices  by  “certified” 
security  experts  who  have  been  trained  to  use  a  specific 
application  and  who  don’t  have  the  foundational  expertise 
to  adapt  to  new  situations,  to  diversify. 

But  introducing  even  a  token  number  of  Unix  work¬ 
stations  or  servers  forces  the  Windows  administrative  staff 
to  learn  the  basics  of  other  systems  and  reduces  the  cor¬ 
porate  dependence  on  a  single  line  of  technologies. 

What  does  it  all  mean?  The  conveniences  that  homo¬ 
geneity  and  features  such  as  patching  provide  might  not 
be  so  great  after  all.  It  would  be  telling,  for  instance, 
to  measure  the  benefits  of  homogene¬ 
ity  against  one  major  virus 
attack  like  Slammer.  With¬ 
out  doing  calculations,  it’s 
not  hard  to  imagine  that  one 
bout  with  Slammer  costs 
more  than  the  convenience 
that  standard  features  give 
you  over  the  course  of  a 
year. 

Which  all  leads  to 
some  counterintuitive 
advice  for  the  security 
conscious:  CSOs  should 
make  an  effort  to  slow  down 
the  rate  of  standardization  in 
the  enterprise.  Use  a  combi¬ 
nation  of  Linux  and  Win¬ 
dows,  and  don’t  be  too  quick  to 
apply  a  patch  unless  something  is 
already  broken.  Turn  off  automatic  updates.  Buy 
equipment  from  more  than  one  manufacturer;  a 
good  mix  is  70:30.  There’s  also  a  cost  advantage  because 
competition  drives  better  deals. 

Hedge  your  bets— the  best  containment  strategy  to 
avoid  catastrophic  failure  is  diversification.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david@globalpov.com.  Send  feedback  and 
column  ideas  to  Senior  Editor  Daintry  Duffy  at  dduf1y@cxo.com. 
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Leave  it  to  the  shrinks  to  come  up  with 
the  very  best  way  of  describing  a  mess.  By 
labeling  the  current  executive  security  profession  as  suf¬ 
fering  through  an  “ Identity  Crisis,”  we  mean  no  disrespect 
to  individual  CSOs.  What  we  re  seeing,  though,  is  a  mess— 
an  unformed  role  still  rife  with  assorted  uncertainties. 

Not  that  the  world  itself  hasn’t  always  been  rife  with  vulnerabilities, 
but  never  more  so  than  it  is  today.  As  fear  of  terrorism  and  geopoliti¬ 
cal  anxiety  escalate,  security  seems  to  be  on  everyone’s  mind.  In  the 
newly  networked  corporate  climate,  in  particular,  the  need  for  a  coor¬ 
dinated  security  effort  is  at  an  all-time  high.  And  yet,  just  as  the  secu¬ 
rity  function  seems  poised  to  make  an  entrance  into  the  corporate 
ranks... there’s  a  steady  flow  of  security  executive  layoffs.  And  only  a 
marginal  increase  (at  best)  in  security  spending. 

That’s  the  nature  of  the  identity  crisis:  The  CSO  is  not  yet  widely 
established  as  a  legitimate  corporate  executive,  although  all  the  signs 
say  that  security  should  be  more  important  than  ever.  Indeed,  there’s 
precious  little  consensus  about  how  to  make  the  corporation  secure— 
how  the  function  should  be  organized  and  governed,  who  should  lead 
it,  what  skills  they  need,  and  how  to  measure  their  effectiveness.  Con¬ 
sultant  Thornton  May  sums  up  the  widely  held  perception  of  security 
in  this  way:  Despite  the  very  best  intentions,  CSOs  “haven’t  made  their 
enterprises  more  secure— they’ve  just  centralized  blame,”  effectively 
giving  the  CEO  one  neck  to  choke,  no  matter  what  kind  of  breach  has 
occurred. 

Resolving  the  crisis  will  require  a  significant  reworking  of  the  secu¬ 
rity  executive  skill  set— a  daunting,  but  not  impossible,  task.  If  prece¬ 
dent  counts  for  anything,  it’s  worth  remembering  the  evolution  of  the 
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CIO.  The  title  first  appeared  in 
the  mid-’80s,  when  the  CIO  was 
simply  known  as  “the  data  pro¬ 
cessing  guy.”  CEOs  demanded 
return-on-investment  calcula¬ 
tions;  CIOs  countered  that  IT 
was  a  special  case.  “Standard 
business  metrics  don’t  apply  to 
us,”  they’d  say,  the  subtext  being, 
“You,  Mr.  CEO,  can’t  understand 
technology.” 

After  suffering  through  years 
of  misaligned  IT  departments, 
CEOs  got  fed  up  and  yanked  the 
technical  guys  out  of  CIO  posi¬ 
tions  and  replaced  them  with 
line-of-business  managers  who 
had  no  technical  background.  It 
was  a  wake-up  call  for  many 
CIOs:  Technology  would,  in  fact, 
be  subject  to  the  same  disciplines 
as  other  business  functions. 
Today,  an  MBA  is  a  more  com¬ 
mon  credential  for  CIOs  than 
any  technical  certification. 

Early  CIOs  failed  in  the  same 
way  many  security  leaders  are 
foundering  today:  They  alienated 
themselves.  A  similar  epoch  may 
befall  the  CSO  unless  he  can  cre¬ 
ate  certainty  among  senior  exec¬ 
utives  that  the  security  function 


is  centered— 100  percent— on 
making  business  possible  and 
more  profitable. 

This  special  issue  is  designed 
to  help  CSOs  breeze  through— or 
even  skip— that  painful  evolu¬ 
tionary  stage.  We  surveyed  more 
than  400  security  professionals 
and  interviewed  dozens  more 
CSOs  and  CISOs  to  extract  keys 
for  security  executive  success. 
Some  of  our  stories  present 
research  results  on  CSO  compen¬ 
sation  and  responsibilities.  Some 
point  to  solutions  for  getting  the 
job  and  keeping  it.  Some  will 
help  you  organize  your  com¬ 
pany’s  security  function  for  maxi¬ 
mum  effectiveness.  Through  this 
broad  range  of  topics,  a  few  com¬ 
mon  threads  of  advice  are  woven. 

First,  security  must  end  its  turf 
battles  and  present  a  unified 
front  to  business  leaders. 
Corporate  and  infosecurity  per¬ 
sonnel  should  do  lunch,  hold 
educational  seminars,  throw 
Hawaiian-shirt  keg  parties— 
whatever  it  takes  to  knock  down 
the  walls  of  mistrust.  The  secu¬ 
rity  team  must  put  aside  power 
struggles,  personality  clashes  and 


stereotypes  to  gain  credibility 
from  the  rest  of  the  organization. 

Security  must  also  stop  sending 
business  leaders  negative  mes¬ 
sages.  The  message  is  not  about 
what  executives  don’t  understand 
or  what  they  can’t  do.  Successful 
CSOs  will  be  those  who  demon¬ 
strate  an  eagerness  to  listen  to  the 
business  agenda  and  then  work  to 
make  it  happen— securely. 

Finally— and  this  will  be  the 
mark  of  the  security  function 
becoming  mature  and  embedded 
in  business  psychology— CSOs 
must  find  the  places  where  secu¬ 
rity  truly  can  serve  as  a  differen¬ 
tiator  for  the  business,  a  point 
that  establishes  customer  trust 
vis-a-vis  the  competition. 

Addressing  such  issues  won’t 
solve  every  problem  the  CSO 
faces,  but  it  will  lay  the  founda¬ 
tion  for  a  clear  identity— a  well- 
defined,  widely  accepted  position 
in  the  executive  ranks  from 
which  to  truly  effect  corporate 
change.  It  could  be  a  long  jour¬ 
ney,  and  for  many  it  will  be  diffi¬ 
cult.  The  only  thing  harder  is 
staying  where  we  are  now. 

-Derek  Slater 


C-level  security  execs 
focus  mostly  on  IT... 

WHICH  OF  THE  FOLLOWING 
RESPONSIBILITIES  DO  YOU 
HOLD? 


Infosecurity  only 
37% 

Business  continuity/Disaster 

recovery 

23% 

'  •"  -.v" 

Both  corporate  and  information 
security 
16% 

Corporate  (non-IT)  security 
8% 

Other 

19% 

NOTE:  60  RESPONDENTS  WITH  CSO  OR  CISO 
TITLES.  MORE  THAN  ONE  ANSWER  ALLOWED. 


...and  frequently  hold 
nonsecurity  responsi¬ 
bilities  as  well 

DO  YOU  HAVE  OTHER 
RESPONSIBILITIES  OUTSIDE 
OF  SECURITY? 
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Yes  No 

50%  50% 


NOTE:  73  RESPONDENTS  WITH  CSO.  CISO 
OR  CHIEF  RISK  OFFICER  TITLES 
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likely  to  rise  as  the  function  matures 


The  only  clear  trend  when  it  comes 
to  security  salaries  is  that  theyre 


There’s  no  such  thing  as  an  industry  standard  when 
it  comes  to  the  executive  security  position— not  for  title, 


job  scope,  responsibility  or  reporting  structure.  And  that 
goes  double  for  compensation. 

Security  salaries  are  still  shaking  out  as  the  executive-level  security 
role  comes  into  its  own.  Partly,  that’s  because  the  story  of  the  typical 
CSO  is  not  a  simple  one.  Just  about  every  security  officer  out  there  is 
a  variation  on  a  theme.  Likewise,  there’s  no  clear  consensus  on  exactly 
what  a  CSO’s  worth  is— certainly  not  among  the  recruiters  nor  even  the 
CSOs  themselves.  “I’d  say  most  make  at  least  $100,000,”  says  the 
chief  of  security  for  a  large  credit  union.  But  the  gap  between  that  and 
the  top  end  of  the  market  for  CSOs  is  wide.  “Large  companies  hiring 
security  executives  can  pay  up  to  $500,000,”  says  Marc  Lewis,  presi¬ 
dent  for  the  North  American  division  of  Morgan  Howard,  a  global  tech¬ 
nology  executive  recruiter.  The  disparity  can  be  chalked  up  to  the  fact 
that  no  aspect  of  the  CSO  role  itself  is  clearly  defined. 

As  part  of  our  annual  compensation  survey  of  more  than  400  secu¬ 
rity  executives,  we  asked  CSOs  to  give  us  an  idea  of  how  much  they 
make,  what  their  jobs  entail,  what  their  professional  titles  are,  how  long 
they’ve  been  at  their  jobs  and  in  what  industries  they  work. 

The  results  were  not  what  we  were  expecting.  Our  respondents 
indicate  that  having  a  C-level  title  doesn’t  necessarily  translate  to  a 
higher  salary.  In  fact,  most  of  the  respondents  at  that  level  are  mak¬ 
ing  about  the  same  in  terms  of  total  compensation,  regardless  of  title- 
in  other  words,  security  managers  earn  basically  what  CSOs  do. 
Compensated  most  highly  are  vice  presidents  or  directors,  but  only 
8  percent  of  them  make  more  than  $300,000  per  year. 

We  may  have  been  caught  off-guard,  but  the  lack  of  a  connection 
between  title  and  compensation  was  no  surprise  to  CSOs  we  talked  to. 
According  to  Marcia  LaManna,  corporate  director  of  systems  security 
for  Lifetime  Healthcare,  title  isn’t  the  point.  “I  don’t  care  much  about 
title,”  LaManna  says.  “I’m  the  last  word  on  security  at  my  company.  If 
I  were  at  another  company,  I’d  probably  have  the  CISO  or  CSO  title. 
But  I  don’t  think  the  C  in  the  title  matters  in  terms  of  salary.” 
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Our  survey  also  revealed  that 
there  were  almost  as  many  names 
for  top  security  executives  as  there 
were  companies  queried.  Well, 
maybe  that’s  an  exaggeration,  but 
we  discovered  that  a  security 
manager  at  one  company  can  be 
doing  the  same  job  as  an  execu¬ 
tive  vice  president  or  a  CSO  at 
another.  That’s  probably  why,  at 
least  for  now,  compensation  lev¬ 
els  are  predicated  more  on  the 
scope  of  the  CSO’s  job  responsi¬ 
bilities  than  on  title.  And  that’s 
the  way  it  should  be,  LaManna 
says.  “The  bottom  line  is  account¬ 
ability  and  responsibility.”  Basi¬ 
cally,  the  more  you’re  responsible 
for,  the  more  you  make.  A  security 
executive  in  charge  of  traditional 
and  information  security  will  command  more  than  someone  oversee¬ 
ing  only  infosecurity,  and  an  executive  at  a  2,000-person  company  will 
make  less  than  someone  responsible  for  protecting  40,000  people. 

Also,  industries  with  a  high  risk  level  tend  to  pay  higher  salaries  to 
their  security  executives,  says  LaManna.  Salaries  in  health  care,  for 
example,  are  starting  to  reflect  the  increase  in  security  responsibilities 
caused  by  demands  for  data  privacy,  she  says,  although 
compensation  still  doesn’t  compare  favorably  with  that 
of  the  financial  services  sector.  “That’s  partly  because 
portions  of  the  health-care  industry  are  still  nonprofit,” 

LaManna  says.  “But  now,  with  HIPAA  and  the 
Gramm-Leach-Bliley  Act  adding  to  the  privacy  respon¬ 
sibilities  of  the  security  officer,  salaries  are  starting  to 
go  up.” 

In  general,  though,  companies  have  been  slow  to 
define  the  scope  of  the  CSO  job,  which  means  they 
don’t  know  how  to  properly  compensate  the  people 
they  hire.  CSOs  say  that  companies  that  have  created 
new  executive-level  security  positions  aren’t  paying 
what  the  position  is  worth.  “They’re  totally  lowballing 
it,”  says  the  CSO  at  a  large  university  who  has  had  offers  in  the  range 
of  $60,000  to  $90,000  from  companies  trying  to  fill  new  security 
positions.  “They’re  not  going  to  find  a  qualified  CSO  for  that  salary.” 

A  correlation  between  a  company’s  emphasis  on  security  and  how 


much  it  pays  security  executives 
definitely  exists,  says  another 
CSO.  “Companies  that  are  new  to 
security  usually  don’t  place  a  lot  of 
value  on  the  function,”  he  says. 
“But  companies  that  have  had 
senior-level  security  positions  for 
a  while  understand  exactly  how 
important  it  is,  and  they  pay 
accordingly.” 

Compensation  also  depends  on 
the  industry  in  which  a  CSO 
works,  and  that  is  where  the  sur¬ 
vey  numbers  were  truly  surpris¬ 
ing.  Our  findings  show  that  the 
computer  industry  pays  its  secu¬ 
rity  executives  more  than  any 
other  industry,  including  finan¬ 
cial  services,  which  most  of  the 
CSOs  we  talked  to  assumed  was 
top  of  the  list.  “The  computer  industry  pays  more  because  until  recently, 
it  was  the  hottest  thing  around,”  says  Rob  Graven,  a  managing  direc¬ 
tor  specializing  in  technology  and  security  services  for  Boyden  Global 
Executive  Search.  “Computer  and  software  companies  have  had  the 
biggest  IT  departments  with  the  largest  budgets,  and  even  though  the 
boom  is  over,  the  salaries  have  held.” 

Financial  services  has  other  benefits,  however,  that 
make  up  for  relatively  lower  security  salaries.  “The 
financial  services  industry  does  pay  well,”  says  the 
CISO  at  one  of  New  York’s  exchanges,  but  it  is  also 
more  conservative  than  the  technology  industry  and 
thus  can  offer  greater  job  stability  as  well.  “The  com¬ 
puter  companies  can’t  do  that  right  now,”  he  says. 

With  the  economy  in  a  holding  pattern  and  the 
countiy  recovering  from  war,  CSO  salaries  probably 
won’t  experience  any  major  ups  or  downs  for  a  while, 
says  Graven,  though  he  sees  greater  demand  for  qual¬ 
ified  security  personnel  developing  once  the  economy 
gets  back  on  track.  More  important,  Graven  says,  the 
CSO  role  needs  to  gain  greater  definition  and  become 
more  of  a  known  quantity  to  corporations  and  CSOs  alike.  Once  that 
happens,  security  executives  can  expect  to  receive  more  recognition, 
responsibility  and  respect  in  their  jobs  and,  probably,  more  negotiat¬ 
ing  power  over  paychecks.  -Simone  Kaplan 


Salaries  for  information  security  are  only  slightly 
higher  than  those  for  corporate  security 
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RESEARCH 


CSO' s  survey  “The  State  of  the  CSO" 
was  administered  online  to  CSO  sub¬ 
scribers  from  March  1  to  March  15, 
2003.  Results  shown  here  are  based 
on  the  responses  of  408  security  pro¬ 
fessionals  in  a  range  of  industries, 
including  wholesale/retail/distribution 
(10%),  finance/banking/accounting 
(9%),  medical/dental/health  care  (8%), 
manufacturing  (9%),  government  (9%) 
and  computer-related  industries  (6%). 
Twenty  percent  of  the  survey  base 
worked  at  companies  with  fewer  than 
500  employees;  27%  were  from  com¬ 
panies  with  500  to  5,000  employees; 
42%  worked  in  companies  with  more 
than  2,500  employees;  11%  did  not 
answer  the  question. 


A  C-level  title  doesn’t  necessarily  mean  HIGHER  PAY 
security  managers  earn  basically  what  CSOs  do. 
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AUGUST  17-19,  2003  •  THE  BROADMOOR  •  COLORADO  SPRINGS,  CO 

Leadership  and  Innovation  for 

What  Works  Now 


Winning  Ideas 

Our  CIO  100  Award  Winners  dis¬ 
cuss  how  they  deal  with  staff 
morale  and  retention  issues,  how 
they  foster  a  culture  of  resource¬ 
fulness,  and  how  they  build  better 
business  cases  to  gain  manage¬ 
ment  support. 

“One  of  the  most  organized  and  sub¬ 
stantive  conferences  that  I’ve 
attended  in  many  years.  Excellent 
networking  opportunities  as  well.  ” 

—Joseph  J.  Smith,  Vice  President  of 
Private  Programs  &  CIO,  Arkansas 
Blue  Cross  and  Blue  Shield 


Presented  by 


The  Resource  for 
Information  Executives 


Solid  Peer  Advice 

Small  working  groups  of  CIOs 
explore  the  challenges  and  best 
practices  of  specific,  critical 
IT/business  topics  in  our 
Executive  Mindshare  sessions. 
Share  experiences,  lessons 
learned,  mistakes  and  new  ideas 
for  tackling  common  problems. 
Get  solid  ideas  to  make  your  orga¬ 
nization  more  resourceful. 

"With  the  intensity  of  day-to-day 
business  in  the  IT  world,  this  pro¬ 
vided  a  refreshing  perspective  on 
the  current  state  and  the  future 
direction  for  CIO  visionaries  and 
actionaries. " 

—John  C.  Carrow,  Vice  President  & 
CIO,  Unisys  Corp. 


This  year's  CIO  100  Awards 
Ceremony  is  proudly  underwritten  by 


PeopleSoft 


The  Best  Networking 

We  give  you  more  opportunities  to 
meet  with  your  peers:  the  Sunday 
CIO  golf  tournament,  the  network¬ 
ing  receptions  every  day,  break¬ 
fast  and  lunch  roundtables  and 
evening  hospitalities.  We  help  you 
make  the  connections  to  make  the 
most  of  your  time  while  you’re 
with  us. 

“The  CIO  100  Symposium  offers  an 
opportunity  to  network  with  peers 
unmatched  by  any  other  I’ve 
attended.  It  will  be  on  my  ‘must 
attend’  list  in  the  future. " 

—Jim  Burdiss,  Vice  President  &  CIO, 
Smurfit-Stone  Container  Corp. 


To  enroll,  call  800  355-0246  or  visit  our  Web  site  at  www.cio.com/conferences 


The  Resourceful  Enterprise 

Organizations  that  figure  out  how  to  generate  greater  value  with  more  limited  IT  resources  thrive 
whatever  the  state  of  the  economy.  They  demonstrate  leadership,  innovation— and  resourceful¬ 
ness.  This  year,  CIO  magazine  honors  100  organizations  that  have  successfully  done  more  with 
less.  And,  we  continue  our  tradition  of  looking  toward  the  future  by  bringing  together  major 
thought-leaders  to  share  where  they  believe  business,  industry  and  technology  are  heading. 


Paul  Saffo 

Director  of  The  Institute  for 
the  Future,  joins  us  again  as 
Symposium  moderator,  and 
talks  about  why  he  thinks 
we  are  poised  on  the  verge 
of  an  onslaught  of  techno¬ 
logical  innovation  that  will 
affect  every  corner  of  busi¬ 
ness  and  society  in  the 
decades  ahead— even 
thought  at  first  glance,  this 
coming  wave  seems  to  defy 
anticipation,  much  less 
meaningful  assessment  of 
its  likely  impacts. 


W.  Brian  Arthur 

Citibank  Professor  of  the 
Sante  Fe  Institute,  shares 
his  views  on  how  IT  is  being 
reinterpreted  by  old,  tradi¬ 
tional  industries— resulting 
in  completely  new  sub¬ 
industries  such  as 
genomics,  proteomics, 
financial  engineering,  smart 
pharmaceuticals,  nanotech¬ 
nology,  and  the  like.  They 
are  being  born  out  of  IT,  and 
will  change  our  lives  and  our 
businesses. 


Howard  Rheingold 

Futurist  and  Guru  of  Digital 
Culture,  gives  us  his  obser¬ 
vations  on  the  societal 
impact  of  the  “smart  mob” 
phenomenon.  They  are  able 
to  harness  the  combination 
of  mobile  communications, 
the  Internet  and  pervasive 
computing  to  enable  people 
to  interact  and  cooperate  in 
ways  never  before  possible. 
We've  already  seen  the 
changes  in  the  way  people 
meet,  mate,  work,  war,  buy, 
sell,  govern  and  create. 


Abbie  Lundberg 

Editor  in  Chief,  CIO  Maga¬ 
zine,  hosts  a  panel  of  award¬ 
winning  CIOs  sharing  how 
they  are  Leading  in  an  Age 
of  Extraordinary  Challenge. 
How  have  they  been  able  to 
anticipate  the  impact  on 
their  organizations  of  the 
economic  and  political 
events  of  the  past  two 
years?  How  have  they 
stepped  up  to  the  many 
challenges  brought  about 
by  new  technologies? 
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CSOs  will find few  job  openings  but  a 
wealth  of  candidates  for  them 


oore 


mrm  fm  He’s  been  offered 

W  m  m  m  m  t  every  job  that  he  ever 

'  interviewed  for,  and 

he  admits  it  without  the  slightest  trace  of  braggadocio.  His 
resume  includes  four  years  at  the  FBI,  19  with  Amoco’s  cor¬ 
porate  security  group  (now  BP  Amoco),  a  nonsecurity  assign¬ 
ment  managing  the  Georgian  Pipeline  Co.  in  the  former 
Soviet  Union,  capped  off  by  his  current  tenure  of  nearly  five 


years  with  pharmaceutical  giant  Merck  as  its  executive  direc- 

lineup  of  organizations  that  makes  his 
ore  impressive.  So  what  does  this  guy 
1  executive  security  position  that  the 


tor  of  global  security- 
perfect  record  all  the 
know  about  landing 
hungry  hordes  of  midlevel  and  government  agency  security 
administrators  don’t? 


Getting  hired  as  a  CSO  is  not  just  about  what  you  know.  It’s 
about  who  you  know  and  where  you  come  from  and  what  you 
believe  and  how  you  present  yourself.  As  if  that  weren’t 
enough,  CSOs  are  currently  standing  on  a  foundation  of  over¬ 
lapping  responsibilities  that  are  shifting  like  tectonic  plates. 
The  mission  a  candidate  is  given  when  hired  is  likely  to 
become  obsolete  by  the  time  he  gets  around  to  rolling  over  his 
40l(k).  Consequently,  a  would-be  CSO  needs  to  be  a  true 

( Continued 


Merck’s  Bob  Moore 
attributes  his  perfect 
employment  record 
to  honesty,  credibility 
and  sound  ethics. 


Page  38) 
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Remember:  Once  you  have  the  job,  it’s  the 
little  things  that  help  you  keep  it 


oore 
rnnotto 


Nearly  30  years  of  experience 
and  four  jobs  in  corporate 
security,  including  his  current 
post  as  executive  director  of  global  security  at  Merck,  and  not 
once  has  Moore  been  let  go,  laid  off,  fired  or  otherwise  left  to 
“pursue  other  interests,”  as  the  transparent  euphemism  goes. 

He  attributes  his  perfect  record  to  the  kinds  of  things  you’ll 
find  in  all  the  management  and  leadership  books— honesty, 


B  Y 


SCOTT 


B  E  R  I  N  A  T  O 


confidence,  good  staffing,  experience.  But  then  he  backs  it  up. 
He  demonstrates  how  the  dog  wags  the  tail,  not  vice  versa.  He 
hasn’t  been  fired,  in  part,  because  of  his  credibility.  Sounds 
nice.  But  then  Moore  explains  in  large  block  paragraphs  how 
he  gained  credibility— by  reporting  to  legal  counsel,  for  one. 
And  by  creating  global  security  policies  in  which  the  most 
detailed  section  is  not  on  what  employees  can  and  cannot  do, 
but  on  the  ethical  guidelines  for  his  own  security  team. 

“He  is  what  I’d  call  the  example  of  a  CSO  who’s  a  leader  and 
who  will  thrive,”  says  Tracy  Lenzner,  CEO  of  the  LenznerGroup, 
an  executive  recruitment  company  that  places  CSOs  and  CISOs. 

Not  all  of  you  will  be  as  lucky  or  as  smart  as  Bob 
Moore.  In  fact,  the  reason  we’re  writing  this  story 
now,  right  after  you  learned  how  to  get  hired,  is 
because  there  is  also  an  epidemic  of  firings  going  on. 

That’s  especially  true  in  the  information  security  ranks.  Coi$j|jj 
panies  such  as\Merrill  Lynch  and  Fidelity  have  eschewed 
their  information  security  officers.  And  R.A.  Vernon,  the 
1  CISO  for  Reuters  America,  was  interviewed  for  this  issue 
Ik  because  of  his  wealth  of  experience  and  because  he 
Ipfe  directly  contributed  to  his  company’s  revenue 

stream.  Before  we  finished,  he  was  let  go. 

The  statistics  show  that  most  of  you 
are  not  like  Bob  Moore.  You  are 
young  in  your  job  or  the  first  to 
(Continued  on  Page  42) 
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( Continued  from  Page  36) 

jack-of-all-trades— a  broadly  skilled  and 
highly  adaptable  creature  who  is  knowledge¬ 
able  in  all  things  security.  But  he  must  also  be 
flexible  enough  to  evolve  with  the  role  and 
pick  up  new  skills  when  necessary.  Hariy 
Shah,  CISO  of  Marsh,  a  risk  and  insurance 
services  provider,  sums  it  up  this  way:  “A  CSO 
has  to  be  a  futurist,  an  evangelist,  a  technology 
manager,  a  cheerleader,  a  change  agent,  a 
good  bureaucrat,  a  very  good  policy-maker,  a 
negotiator  and  a  legal  expert.  And  on  a  good 
day,  he  also  has  to  be  a  security  engineer.” 

Beyond  the  CSO’s  skill  set  is  the  matter  of 
the  economic  climate.  It’s  a  tough  job  market, 
and  companies  that  aren’t  waiting  out  a  hiring 
freeze  are  taking  a  very  slow  and  deliberate 
approach  to  filling  their  top  security  spots. 

Yet  experts  say  good  candidates  are  lacking. 
“I  talk  to  a  lot  of  companies  that  can’t  find  heads 
of  security.  They  have  hiring  reqs  open  six  to 
12  months,”  says  David  Foote,  president  and 
chief  research  officer  of  Foote  Partners,  an  IT 
research  consultancy.  “When  I  ask  them  what 
they’re  looking  for,  it’s  someone  with  a  broad 
view,  someone  who  can  think  strategically, 
someone  who  can  stand  head-to-head  with 
line-of-business  executives.  Companies  want 
CSOs  who  can  sell  security,”  Foote  adds.  “They 
want  people  with  incredible  marketing  skills 
who  don’t  look  at  security  as  a  cost  center  and 
a  technology  domain  but  a  business  issue.” 

The  reporting  structure  and  responsibilities 
may  differ  from  company  to  company,  but  it’s 
clear  that  there  are  certain  qualities  that  define 
star  prospects.  Whether  you  are  up  for  your 
first  CSO  position  or  your  fourth,  you’ll  want 
to  understand  the  skills  and  expertise  that 
define  a  good  security  executive  candidate. 
CSO  has  gathered  an  array  of  tips  on  how  you 
can  buff  up  your  image,  flesh  out  your  resume 
and  gain  the  in-demand  skills  that  will  make 
you  an  attractive  candidate. 

Attitude  Adjustments 

Nobody’s  saying  that  snapping  up  one  of  these 
positions  will  be  a  cakewalk,  but  before  we 
get  down  to  the  experience  and  qualifications 
necessary  for  a  CSO,  here  are  a  couple  quick 


attitude  adjustments  that  candi¬ 
dates  should  make.  The  CSO  role 
may  be  fairly  new,  but  it's  been 
around  long  enough  to  pick  up 
some  pretty  unsavory  stereotypes. 

Don’t  Be  Predictable 

When  speaking  of  the  prototypi¬ 
cal  CSO,  the  proverbial  bull  in  the 
china  shop  applies.  Too  often, 

CSOs  come  blazing  into  a  com¬ 
pany  with  lots  of  ideas  for  sweep¬ 
ing  departmental  changes  and 
new  draconian  policies  — and 
manage  to  achieve  little  more 
than  alienating  their  peers.  Tracy 
Lenzner,  CEO  of  the  Lenzner- 
Group,  a  security  executive  re¬ 
cruiter,  has  seen  CSOs  come  and 
go,  and  has  found  that  attitude 
and  the  failure  to  read  the  corpo¬ 
rate  environment  are  often  the 
key  reasons  for  a  short  tenure. 

‘  I've  watched  people  ruin  careers 
by  going  in  with  a  big  ego  and 
then  wearing  it  on  their  sleeve. 

Usually,  they're  out  in  three 
months— just  dead  in  the  water,” 
says  Lenzner.  The  position  is 
more  about  gaining  trust  and 
respect,  and  exercising  political 
savvy. 

Remember  the  words  of  Kenny 
Rogers— “you  gotta  know  when 
to  hold  ’em,  know  when  to  fold  ’em.”  A  CSO 
candidate  who  respects  the  corporate  culture 
and  is  sensitive  to  the  importance  of  not  only 
integrating  security  goals  into  an  existing 
environment  but  selling  them  to  corporate 
stakeholders  will  be  better  received  than  one 
who  is  intent  only  on  ramming  his  agenda 
through. 

Lose  the  Geek  Speak 

We’ve  invoked  this  tenet  many  a  time,  but  the 
importance  of  checking  the  technical  mumbo 
jumbo  at  the  door  can’t  be  overstated.  Busi¬ 
ness  executives  don’t  want  to  be  dazzled  by  the 
number  of  acronyms  a  security  guy  can  shoe¬ 
horn  into  a  single  sentence.  They  want  to  hear 
security  explained  in  tei’ms  that  they  under- 


▲  Tracy  Lenzner,  CEO  of  security  executive 
recruiter  LenznerGroup,  says  that  attitude  and 
the  failure  to  read  the  corporate  environment 
are  often  the  key  reasons  for  a  short  tenure. 

stand:  risk  and  return  on  investment.  In  fact, 
CSO  candidates  who  take  as  their  mission 
translating  the  security  function  to  business 
executives  will  probably  create  endless  good¬ 
will.  “People  outside  of  security  have  almost  no 
concept  of  what  security  is,”  says  Carol  Siegel, 
CISO  of  American  International  Group,  an 
insurance  and  financial  services  company. 
‘Viruses,  hackers,  firewalls— they  don’t  under¬ 
stand  the  depth  and  breadth  of  the  field  at 
all.”  Companies  want  CSOs  who  can  close  that 
knowledge  gap  without  expecting  their  peers 
to  talk  like  engineers. 
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“I’ve  watched  people  ruin  careers  BY  GOING  IN 
WITH  A  BIG  EGO  and  then  wearing  it  on  their 
sleeve.  Usually,  they’re  out  in  three  months— 
just  dead  in  the  water.  ” 


-TRACY  LENZNER,  CEO  OF  THE  LENZNERGROUP 


Slow  and  Steady  Does  It 

It’s  not  enough  for  the  CSO  can¬ 
didate  to  make  a  good  impression. 
When  it  comes  down  to  the  nitty- 
gritty  of  identifying  the  most  qual¬ 
ified  applicant,  companies  are 
going  to  be  looking  at  some  con¬ 
crete  skills  as  well. 

Right  now,  the  security  mar¬ 
ket  is  flooded  with  Johnny-come- 
latelies  looking  to  adapt  a 
patchwork  of  technology  skills 
and  corporate  experience  into  a 
position  in  the  hot  security  sector. 
Most  companies  are  wise  to  these 
charlatans,  and  they  want  to  look 
at  candidates  who  have  been 
steadily  building  toward  an  exec¬ 
utive  security  position  instead  of 
hopscotching  all  over  the  tech¬ 
nology  field.  “Larger  organiza¬ 
tions  in  particular  are  looking  for 
people  that  have  evolved  from 
smaller  roles  [in  security],  to  larger  ones,  to 
global  roles,”  says  Lenzner.  Add  to  that  a 
dash  of  business  experience  and  you  have  a 
background  well-suited  to  the  CSO  role. 

Moore’s  career  growth  toward  his  current 
position  at  Merck  is  a  good  example.  His  long 
track  record  in  security  with  the  FBI  and 
Amoco  established  him  as  a  candidate  with  a 
strong  background  in  the  field.  “What  Merck 
liked  about  me  was  that  I  spent  the  vast 
majority  of  my  career  rising  through  the  ranks 
of  a  corporate  security  organization  and  then 
stepped  out  to  be  the  vice  president  of  coun¬ 
try  operations  in  the  former  Soviet  Union  on 
an  oil  and  gas  development  project,”  Moore 
says.  While  that  might  appear  to  be  a  digres¬ 
sion  on  a  resume,  it  actually  made  Moore  a 


more  attractive  candidate  because  it  gave  him 
international  experience  that  would  be  impor¬ 
tant  to  Merck  as  a  global  company  with  oper¬ 
ations  in  more  than  100  countries.  It  also  gave 
Moore  experience  as  a  nonsecurity  line-of- 
business  executive,  creating  a  level  of  comfort 
for  the  executive  team,  which  naturally  wants 
a  security  partner  who  understands  its  needs. 

Establish  Your  Cred 

Sure,  certification  has  its  share  of  detractors. 
Many  feel  that  the  credentials  are  too  easy  to 
get,  but  as  a  measure  of  general  security 
knowledge,  the  CISSP  and  CPP  certifications 
still  say  something  about  a  candidate’s  expert¬ 
ise  and  dedication. 

The  information  security  field  is  particu¬ 
larly  cert-sensitive.  According  to  Foote  Part¬ 
ners,  workers  receiving  premium  bonus  pay 
for  a  CISSP  experienced  a  38  percent  growth 
in  that  bonus  pay  last  year— the  highest  pay 
bump  for  any  certification  on  the  market. 

Companies  like  to  see  security  executives 
with  a  combination  of  experience  on  the  busi¬ 
ness  side  and  a  technical  certification  because 
it  bodes  well  for  their  ability  to  knit  those  two 
groups  together. 

While  the  relationship  of  the  CSO  to  the  IT 
security  department  varies  greatly  depending 
on  the  company,  certification  can  buy  you  a 
certain  degree  of  respect  from  the  technical 
team.  That  will  make  you  not  only  a  more 
appealing  candidate,  but  if  you  land  the  job,  it 
may  also  smooth  your  way  to  a  fruitful  part¬ 
nership  with  the  IT  function. 

Have  Some  War  Stories 

An  applicant  with  lots  of  ideas  and  opinions 
but  no  war  stories  of  hairy  security  situations 
encountered  and  resolved  is  a  big  red  flag  for 


companies.  Dan  Lohrmann,  CSO  and  director 
of  security  and  disaster  recovery  for  the  state 
of  Michigan,  stresses  the  importance  for 
would-be  CSOs  of  being  able  to  give  firsthand 
examples  of  their  work,  backed  up  with  good 
reference  points  that  show  what  they  did  to 
resolve  a  problem  and  why  they  chose  that 
solution.  “I  was  asked  about  e-government, 
identity  theft,  about  strategies  to  stop  spam 
and  how  much  I  knew  about  incident 
response,”  says  Lohrmann  about  the  inter¬ 
view  that  landed  him  his  current  position. 
“They  wanted  to  know  how  I  would  organize 
[security]  given  different  agencies  that  have 
different  approaches.” 

CSO  candidates  should  walk  into  an  inter¬ 
view  with  examples  of  how  they  handled  sit¬ 
uations  at  previous  security  assignments  that 
showcase  the  abilities  they  want  to  project  to 
an  employer— whether  it  be  analytical  and 
motivational  skills  or  negotiation  techniques. 

Get  That  Vision  Thing 

When  Moore  joined  Merck,  he  recalls  that 
security  was  basically  “a  dysfunctional  func¬ 
tion.”  There  were  one  or  two  corporate  secu¬ 
rity  employees  at  headquarters,  and  the  rest 
were  tucked  away  in  different  divisions.  More¬ 
over,  those  divisions  didn’t  communicate  with 
one  another,  and  they  lacked  common  sys¬ 
tems,  policies  and  resources.  The  company 
was  looking  for  a  security  executive  who  could 
pull  all  those  siloed  security  teams  into  a 
centralized  function  and  then  map  out  a  long- 
range  plan  for  security  that  would  carry  Merck 
forward. 

Moore  is  now  nearing  completion  of  his 
original  five-year  plan,  and  he  identifies  vision 
as  one  of  the  critical  assets  that  CSOs  must 
bring  to  the  table.  But  be  warned:  Presenting 
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your  company  with  a  clear  vision  of  its  security 
evolution  requires  discussing  more  than  just 
the  end  result.  "If  you  don't  understand  where 
you  need  to  go,  you  probably  won’t  know  how 
to  get  there,”  says  Moore.  “For  me  at  Merck,  it 
was  a  matter  of  having  the  experience  to  know 


what  was  needed  before  I  could  come  up  with 
recommendations  about  how  to  accomplish 
it.”  An  applicant  who  communicates  that  sense 
of  direction  in  an  interview  marks  himself  as 
someone  who  will  be  able  to  firmly  take  the 
wheel  and  chart  a  course. 


Be  the  Ball 

It’s  pretty  tough  to  demonstrate  your  com¬ 
manding  leadership  skills  and  unsullied  eth¬ 
ical  merit  in  an  interview  without  coming  off 
as  arrogant  and  stilted.  But  the  less  tangible 
skills  that  CSOs  must  bring  to  the  table  are 
also  important.  Companies  are  exercising 
more  discretion  and  scrutiny  in  filling  their 
top  security  positions.  Their  selections,  after 
all,  are  highly  indicative  of  the  kind  of  organ¬ 
izations  that  they  run.  Sure,  there  are  some 
qualities  that  people  either  have  or  don’t  have, 
but  they  are  highly  sought  after  in  security 


In  the  interview  that  landed  him  his  current 
position  as  Michigan’s  CSO,  Dan  Lohrmann  was 
prepared  with  examples  of  how  he  handled 
security  situations  in  previous  positions. 


functions,  and  it’s  worth  keeping  that  in  mind 
as  you  present  yourself  to  potential  employers. 

To  project  such  qualities  in  an  interview, 
don’t  try  to  hit  the  ball;  be  the  ball. 

Be  the  ball  with  leadership  too,  says 
Lenzner.  “The  CSO  is  analogous  to  a  com¬ 
mander  or  a  general.  Unexpected  things  hap¬ 
pen,  and  they  have  to  have  the  expertise  and 
leadership  qualities  to  minimize  the  damages. 
When  we  talk  about  CSOs,  we’re  really  talking 
about  the  best  of  the  best.”  Specific  to  the  CSO 
job,  leadership  is  expressed  in  any  number  of 
ways.  It’s  thinking  strategically  and  creating, 
defining  and  executing  an  enterprise  strategy. 
It’s  also  about  making  that  strategy  real  to  its 
various  stakeholders  and  lobbying  and  cajol¬ 
ing  for  their  support  until  you  get  it.  “Compa¬ 
nies  are  looking  for  much  more  leadership 
than  five  or  so  years  ago,”  says  Siegel.  “You 
need  someone  with  a  larger  perspective  who 
can  engage  all  the  right  people.  The  [top  secu¬ 
rity  person]  used  to  be  much  more  a  techni¬ 
cian.  Now  we  need  more  of  a  forward-thinker, 
a  solutions  designer  and  an  analyzer.” 


Remember  the  Dalai  Lama 

Thanks  to  Enron,  Andersen  and  the  other 
accounting  scandals  of  the  past  few  years, 
ethics  has  been  getting  a  lot  of  play  as  a  fun¬ 
damental  corporate  value.  But  its  importance 
is  felt  most  keenly  in  the  security  organiza¬ 
tion,  where  access  to  sensitive  information  and 


responsibility  for  internal  investigations  create 
the  need  for  a  higher  standard.  That  means 
that  CSO  candidates  in  particular  need  to 
exemplify  those  values.  Resume  fudging  and 
other  ethical  breaches  are  taken  much  more 
seriously  when  the  candidate  is  applying  for  a 
security  position.  More  security  organizations 
are  doing  background  checks  and  conducting 
polygraphs,  especially  in  cases  where  the  com¬ 
pany  does  business  with  the  government. 
Lohrmann  recalls  an  incident  where  a  member 
of  his  staff  was  hired  away  for  a  lot  more  money 
to  another  security  position.  The  new  com¬ 
pany  later  found  that  a  couple  lines  on  his 
resume  were  untrue,  and  it  withdrew  the  offer. 
“Character  always  matters,”  says  Lohrmann, 
“hut  especially  in  security  where  you  have  to  be 
seen  as  above  reproach.” 

CSO  candidates  who 
pledge  to  uphold  ethics 
throughout  their  organiza¬ 
tions  will  be  attractive 
prospects.  “Security  profes¬ 
sionals  hold  the  keys  to  the 
kingdom,”  says  Moore.  “We 
see  from  the  mail  room  to 
the  boardroom,  and  we 
have  to  be  viewed  as 
absolutely  transparent.” 

Stay  Flexible 

One  of  the  few  constants 
that  CSOs  can  count  on 
in  their  jobs  is  change. 

Cooperation  from  line-of- 
business  executives  and  the 
executive  committee  will 
wax  and  wane,  and  the  will¬ 
ingness  to  write,  scrap  and 
rewrite  plans  on  an  ongo¬ 
ing  basis  will  serve  a  CSO 
well.  Flexibility  also  means 
that  the  skills  and  experi¬ 
ence  that  get  you  the  job  will 
need  constant  refreshing 
to  stay  current  with  the 
rapidly  changing  scope  of 
CSO  responsibilities.  When 
Moore  left  Amoco  for  his 
new  position  at  Merck,  his 
basic  security  skills  stood 


him  in  good  stead,  but  after  19  years  in  the  oil 
and  gas  industry,  be  found  that  the  pharma¬ 
ceutical  industiy  came  with  a  new  set  of  secu¬ 
rity  and  business  issues  that  he  needed  to 
know.  He  took  advantage  of  the  experience 
around  him  to  learn  about  the  industry  and  its 
specific  product  security  issues  to  quickly  close 
that  knowledge  gap.  Which  brings  us  to  the 
next  point. 

Don’t  Have  All  the  Answers 

Security  executives  often  feel  as  if  they  have  to 
be  the  repository  of  all  security  knowledge 
within  the  organization.  But  most  companies 
would  rather  hire  someone  with  the  self- 
confidence  to  ask  questions  than  to  bring  in  a 
know-it-all  who  bluffs  his  way  through  a  con¬ 
versation.  “It  gets  down  to 
having  enough  confidence 
in  yourself  to  understand 
that  you  don’t  need  to  have 
all  the  answers,”  says 
Moore.  He  frequently  com¬ 
pliments  his  security  com¬ 
patriot  in  Hong  Kong  for 
calling  with  questions 
despite  the  fact  that  he’s  12 
hours  and  8,100  miles 
away.  “It’s  a  sign  of  strength 
in  my  view  when  someone 
asks  a  question  rather  than 
trying  to  project  the  image 
that  they  know  something 
they  don’t,”  he  says. 

Get  a  Little  Help 

Cautionary  tales  of  bridge¬ 
burning  exist  in  every 
industry,  but  you  especially 
want  to  think  twice  before 
you  drop  that  match  in  the 
security  world.  By  the  same 
token,  friends  and  associ¬ 
ates  in  the  industry  can  be 
an  invaluable  source  of 
information  and  recom¬ 
mendations  on  jobs.  Moore 
heard  about  the  position  at 
Merck  from  one  of  its 
consultants,  a  gentleman 
who  also  happened  to  be 


Nearly  a  third  of  secu¬ 
rity  professionals  have 
a  military  background... 


Military 

29% 

Business  operations 
18% 

Corporate  security 
13% 

Law  enforcement 
10% 


...and  more  than  a 
quarter  have  a  security 
certification 

CISSP  20% 

MBA  14% 

CISA  5% 

PhD  2% 

CPP  2% 


NOTE:  408  RESPONDENTS.  MORE  THAN 
ONE  ANSWER  ALLOWED. 
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Moore’s  former  boss  from  Amoco.  Of  course, 
Moore  wasn’t  the  only  candidate  in  the  run¬ 
ning,  but  the  fact  that  he  landed  the  job  was 
certainly  due  in  part  to  his  former  employer’s 
knowledge  of  his  skills  and  character,  and  that 
personal  recommendation  carried  plenty  of 
sway.  “It’s  still  who  you  know,”  says  Mike 
Coughlin,  director  of  corporate  security  with 
Wyeth,  a  pharmaceutical  and  biotechnology 
company.  “It’s  a  very  small  community.  And 
I’m  always  amazed  at  how  hard  it  is  to  find  a 
good  person  every  time  I  go  out  to  try  and 
hire  someone.” 

Be  a  Superstar 

You’ve  got  to  know  how  to  sell  yourself.  But 
don’t  confuse  selling  yourself  with  selling  out. 
An  effective  technique  for  becoming  known  in 
the  industry  and  developing  some  instant  cre¬ 
dentials  is  to  speak  at  conferences  and  write 
articles— you  know,  become  your  basic  secu¬ 
rity  industry  superstar.  If  you’re  successful  at 
making  a  name  for  yourself,  you’ll  be  more 
attractive  to  future  employers  and  you’ll  have 
additional  opportunities  to  network  with  the 
security  illuminati.  Moore  represents  Merck 
on  the  Overseas  Security  Advisory  Counsel, 
he  is  a  board  member  of  the  Pharmaceutical 
Security  Institute  and  also  a  member  of  the 
International  Security  Management  Associa¬ 
tion.  He  has  found  that  the  groups  are  a  good 
way  to  get  to  know  other  people  in  the  indus¬ 
try  whom  he  respects.  He  suggests  that  CSO 
candidates  look  for  similar  opportunities  as  a 
way  to  build  credibility.  “It’s  a  good  opportu¬ 
nity  to  demonstrate  leadership,”  he  says.  And 
you  can’t  fool  too  many  people  at  that  level— 
especially  not  in  a  large  group.  “CSOs  are 
investigators,”  says  Moore,  “so  they’re  trained 
to  be  skeptical.” 

Investigate  Your  Prospects 

In  the  close-knit  security  industty,  there  are 
tremendous  opportunities  to  research  the 
companies  in  which  you’re  seeking  a  position. 
Steve  Katz,  former  Cl  SO  with  Merrill  Lynch 
and  Citigroup,  advises  CSO  candidates  to  get 
the  skinny  before  going  in  for  an  interview. 
“Do  your  homework  first.  It’s  a  fairly  small 
community,  so  somebody  will  always  know 
somebody  at  the  company  that  you’re  inter- 
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viewing  with,”  he  says.  If  you  can  walk  in  with 
some  basic  background  on  the  security  organ¬ 
ization,  you  can  articulate  more  fully  formed 
opinions  and  suggestions  for  what  you  can 
add  to  the  organization. 

Broaden  Your  Horizons 

In  many  companies,  physical  and  IT  security 
are  converging,  and  privacy  may  eventually 
fall  under  the  security  umbrella.  So  CSOs  need 
to  be  prepared  to  expand  and  adapt  their 
expertise  to  keep  pace.  “Companies  are  still 
defining  what  a  CSO  is  to  them,”  says  Lee 
Kushner,  CEO  of  L.J.  Kushner  &  Associates, 
a  security  executive  recruiter.  “[They’re  still 
weighing]  how  much  physical,  how  much 
information,  how  much  risk  management 
they  see  in  the  role.  It’s  still  broad  and  unde¬ 
fined,  so  the  broader  the  skill  set,  the  more 
areas  that  [a  candidate]  touches,  the  more 
attractive  he'll  be.” 

Surround  Yourself  with  Smart  People 

Long  term,  CSOs  and  security7  executives  will 
also  be  well-served  by  surrounding  them¬ 
selves  with  teams  of  smart  people.  When 
Moore  made  the  leap  from  Amoco  to  Merck, 
he  came  as  a  package  deal.  He  brought 
Jonathan  Tetzlaff,  Amoco’s  senior  director  of 
systems  and  programs,  with  him  to  get 
Merck’s  redesigned  security  function  off  the 
ground.  “Any  organization  is  only  as  good  as 
the  people  in  it,”  says  Moore.  “I  think  one  of 
the  pillars  of  a  top-notch  organization  is  out¬ 
standing  recruiting.  Whom  you  recruit— and 
then  how  well  they  do  the  job— reflects 
directly  on  you.” 

Security  executives  who  focus  on  team 
building  and  recognize  the  role  that  the  peo¬ 
ple  around  them  have  in  their  success  will 
always  build  strong  organizations.  And  they 
wall  always  be  attractive  to  other  companies 
for  exactly  that  reason.  ■ 

Daintry  Duffy  is  a  senior  editor  with  CSO.  E-mail  her  at 
dduffyAcxo.com. 
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hold  an  executive  security  position  at  your 
company,  or  both  (see  charts  from  our 
exclusive  survey  results,  Page  46).  Many 
of  you  are  fulfilling  a  vague  dictum  from 
the  board  to  get  serious  about  security 
because  of  9/11,  or  because  of  the  contin¬ 
uing  flow  of  computer  attacks,  or  because 
of  war.  There  are  plenty  of  reasons  to  cre¬ 
ate  a  security  function.  Generally,  though, 
it’s  done  without  much  notion  of  what 
the  function  should  be  (never  mind  a 
practical  job  description). 

All  of  that  combined  with  a  penny- 
pinching  economy,  Lenzner  says,  makes 
many  of  you  eminently  fireable.  If  other 
executives  perceive  little  or  no  value— or 
even  negative  value— from  what  you’re 
doing,  you’ll  be  gone  in  a  New  York 
minute. 

The  good  news  is  that  some  of  the  tips 
that  helped  you  get  the  job  will  also  help 
you  keep  the  job.  But  here’s  even  more 
advice,  from  successful  CSOs  and  ISOs  in 
the  field,  on  how  to  make  yourself  truly 
indispensible  so  that,  one  day,  you  too  can 
rightfully  brag  like  Bob  Moore  can  today. 


Easy  Is  Good 


Overall,  not  getting  fired  is  not  so  easy 
for  security  executives.  After  all,  theirs  is 
a  job  that,  when  done  well,  leads  to. ..well, 
nothing.  Sales  executives  can  show  higher 
sales  and  not  get  fired.  Accounting  exec¬ 
utives  can  show  lower  expenses  and  not 
get  fired.  But  security  executives  need, 
literally,  to  demonstrate  that  their  spend¬ 
ing  led  to  nothing  and  that  the  company 
should  keep  spending  money  for  noth¬ 
ing.  Now,  that’s  a  talent  that  requires 
exceptional  skill! 

Having  said  that,  you  can  always  start 
by  grabbing  for  the  low-hanging  fruit— the 
easy  tasks  that  demonstrate  some  of  your 
value  now.  We’re  not  suggesting  that  such 
tasks  are  the  most  important  steps  for  you 
to  take,  just  the  first  ones.  And  that  is  an 
especially  good  place  to  start  if  you  happen 
to  be  the  company’s  first  security  execu¬ 


tive.  You’ll  need  that  “now”  payoff  that 
the  easy  win  provides,  since  there’s  a 
fairly  good  chance  your  executive 
board  created  the  CSO  position  with 
only  a  vague  sense  of  need— and  with 
absolutely  no  good  sense  of  the  role.  So 
if  the  board  doesn’t  see  payoff  soon, 
it’s  likely  to  lose  interest  and  try  to  kill 
the  position,  or,  as  it  thinks  of  it,  reduce 
the  expenditure. 

The  easy  (and  relatively  low-cost) 
first  steps  that  follow  will  quickly  give 
you  purchase,  and  at  the  same  time 
help  your  executive  peers  know,  now, 
that  you’re  valuable. 

First,  Do  Nothing  (But  Observe) 

Pick  your  metaphor— survey  the  envi¬ 
ronment,  do  reconnaissance,  diag¬ 
nose  the  patient.  The  point  is  this;  A 
good  portion  of  a  new  CSO’s  time 
should  be  dedicated  to  figuring  out 
the  corporate  culture  and  how  to 
work  (in)  it.  If  you  don’t,  you’ll  proba¬ 
bly  lose  your  job. 

Lenzner  has  seen  it  happen  too 
many  times.  “When  you  go  into  an 
organization,  you  are  probationary,  no 
matter  what  level  you’re  at,”  she  says. 
“We’ve  watched  people  go  in  and  start 
firing,  changing  policy  wholesale, 
messing  with  staff— and  all  before  they 
even  know  where  they  are.  All  before 
they  even  have  a  clear  understanding 
of  how  the  company  works.” 

Conversely,  she  says,  some  security 
executives  learn  to  go  into  a  situation 
without  a  clear  understanding,  yet  they 
thrive.  “They  take  the  time  to  learn  the 
nuances,”  Lenzner  says,  “and  they  find  the 
silent  players  and  learn  the  politics.” 

The  CSO  who  spends  time  studying  his 
environment,  says  Lenzner,  will  hear 
what’s  said  but  also  hear  what’s  implied. 
“The  CEO  will  say,  We  want  you  to  do  X, 
and  the  good  CSO  will  know  that  means, 
We  want  you  to  do  X,  but  if  you  alienate 
those  three  divisions  of  the  company  over 
there  in  the  process,  you’ll  win  a  battle 
and  lose  the  war.  And  they’ll  know  when 
to  compromise,  adapt.” 
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Then,  Do  an  Audit 

A  corporatewide  security  assessment  sets 
your  bearings.  Much  of  what  you  do  after¬ 
ward  will  be  a  result  of  this  first  major  ini¬ 
tiative.  From  this  audit,  you  need  a  baseline 
of  the  company’s  security  status.  “Baseline, 
baseline,  baseline,”  Stephen  Northcutt  says. 
“After  I  was  hired  but  before  I  even  walked 
into  the  building  at  BMDO  (Ballistic  Missile 
Defense  Organization,  now  the  National 
Missile  Defense),  I  ordered  an  independent 
audit.  Why?  How  am  I  going  to  say  later 
that  I  made  2  percent  progress  without  a 
baseline?” 


You  might  as  well  know  now  that,  to  stay 
in  your  job,  you’ll  need  to  provide  your  peer 
executives— and  the  board— with  more  met¬ 
rics  than  you  ever  imagined.  Probably  more 
than  you  have. 

OK.  Those  of  you  with  an  IT  heritage  are 
now  free  to  complain  about  how  difficult  it  is 
to  create  meaningful  security  metrics.  And 
those  of  you  from  a  physical  security  back¬ 
ground  are  allowed  to  mourn  the  loss  of  those 
days  when  no  one  asked  you  for  them.  Too 
bad  for  both  of  you. 

“For  a  long  time,  security  wasn’t  challenged 
on  metrics.  We  were  different  from  the  rest  of 


the  workforce,  kind  of  mystical,”  says  Ray 
Humphrey,  former  CSO  of  Digital.  “Recently, 
I  see  more  emphasis  than  ever  on  providing 
the  executive  team  with  benchmarks  and  data. 
I  happen  to  think  that’s  excellent.” 

The  hard  truth,  however,  is  that  the  degree 
of  success  a  CSO  can  have  will  largely  rest  on 
his  ability  to  provide  metrics.  “They’ll  need  to 
move  security  from  the  boiler  room  to  the 
boardroom,”  says  Humphrey. 

M  You  will  not  be  invited  into  the  executive  circle, 
says  Ray  Humphrey,  former  CSO  of  Digital,  unless 
you  elbow  your  way  in. 


Next,  Pluck  the  Low-Hanging  Fruit 

Here’s  an  ancillary  benefit  of  that  first 
major  security  audit:  It  will,  more  often 
than  not,  expose  one  or  two  gaping  holes  in 
corporate  security  architecture  and  policy. 
Fix  them  right  away,  and  make  a  big  deal 
out  of  it. 

“Financially,  the  only  reason  a  CEO  will 
call  you  is  if  he  discovers  losses  or  suffers  an 
event,”  says  T.  Sean  McCreary,  a  risk  man¬ 
agement  specialist  at  The  Motorists  Insur¬ 
ance  Group  who  has  held  security  and  safety 
management  positions  at  prisons.  Patch  up  a 
gaping  hole  at  little  or  no  cost,  and  you’re 
immediately  a  minor  hero,  McCreary  says. 
“You’ve  done  much  better  than  coming  in  and 
asking  for  a  lot  of  money  to  implement  some 
overarching  new  plan.” 

Soon  after  arriving  at  biotech  company 
Genzyme,  CSO  Dave  Kent  learned  it  had  13 
discrete  building  access  systems  and  that 
dozens  of  employees  were  authorized  to  dele¬ 
gate  access  privileges  (see  ‘The  Architect,”  May 
2003).  Kent  consolidated  down  to  one  system 
and  authorized  only  a  handful  of  employees  to 
give  access  privileges  (a  more  secure  practice, 
anyway).  Thing  is,  he  also  had  the  overarching 
new  plan  that  would  require  tons  of  resources, 
but  he  took  the  easy  win  first  and  used  it  to 
build  his  case  for  the  big  picture  effort. 

Eight  years  later  he’s  still  CSO. 

Learn  How  to  Use,  Uh,  Whaddya  Call  It? 

So  you’ve  got  a  few  easy  wins  under  your  belt. 
Now  start  building  a  foundation  for  long- 
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term  success.  These  concrete  tips  focus  on 
further  dousing  that  mystical  aura  of  secu¬ 
rity  that  Humphrey  talked  about  and  replac¬ 
ing  it  with,  well,  a  fiscal  aura. 

Mike  Coughlin,  CSO  of  pharmaceutical 
company  Wyeth,  came  up  through  the  ranks 
like  many  CSOs— more  from  the  law  enforce¬ 
ment  side  of  things  than  from  the  business 
side.  But  Coughlin  says  that  today,  an  aspiring 
security’  executive  who  studies  criminal  justice 
is  “having  his  or  her  education  robbed.  I  want 
accounting,  management,  even  English  and 
history,”  he  says.  “You  used  to  be  able  to  get 
away  with  it.  We  were  in  the  in-house  police 
force.  But  no  one  who  wants  to  keep  his  CSO 
job  ignores  business  anymore.” 

Coughlin  says  he  needs  to  improve  his  own 
business  acumen.  You  get  the  sense  he’s  exag¬ 
gerating  some— peers  speak  highly  of  him— 
but  then  again  he  also  says  one  business  skill 
CSOs  need  is  “the  ability  to  make  attractive, 
uh— what  do  you  call  them?— the,  uh,  pre¬ 
sentations.  The  medium’s  the  message.  The 
ability  to  be  slick,  it  gets  senior  management 
on  your  side.” 

PowerPoint  is  good.  Humphrey  says  to 
learn  budgeting  and  strategic  planning.  Vari¬ 
ance  analysis.  “A  good  security  executive,”  he 
says  emphatically,  “can  demonstrate  contri¬ 
butions  to  the  bottom  line,  even  though  their 
job  means  taking  money  from  the  company 
and  they’ll  never  have  irrefutable  proof  of  their 
effectiveness.” 

It  seems  like  pretty  obvious  advice— get  busi¬ 
ness  savvy— but  it’s  worth  rehashing.  Lenzner 
says  she  sees  candidates  who  lose  sight  of  this 
in  uncertain  situations  (such  as  the  one  many 
of  you  are  in— being  a  new  CSO  or  your  com¬ 
pany’s  first  one).  Those  from  the  physical  secu- 
rity  world  slip  into  a  dogmatic  enforcement 
mentality.  And  those  from  the  IT  world  will 
likewise  slump  back  into  a  technical  posture. 

In  either  case,  peer  executives  will  quickly 
start  to  expect  nothing  more  from  you,  and 
you’ll  turn  into  a  perfectly  fine  middle  man¬ 
ager  with  no  executive  clout,  or  you’ll  be  let  go. 

Says  Coughlin,  “The  guys  wdio  are  admired 
in  this  profession  are  at  ease  communicating 
in  a  business  language  and  environment.” 

Oftentimes  that  means  using,  uh,  you 
know,  presentations  and  stuff. 
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Adapt  to  Your  Industry 

Even  Bob  Moore,  with  two  decades  of 
impressive  credentials,  felt  “angst”  taking  the 
job  at  Merck.  Why?  “I  was  moving  to  a  new 
industry  where  I  didn’t  have  knowledge  and 
breadth  of  experience  I  needed,”  he  says.  “I 
came  from  oil  and  gas,  which  you  can  steal, 
but  you  can’t  counterfeit.  Which  is  what 


product  security  at  Merck  is  about:  protect¬ 
ing  against  counterfeiting.  I  needed  to  get  up 
the  learning  curve  quickly.”  In  other  words, 
security  is  contextual,  and  you  had  better 
know  what  context  you’re  operating  in 
before  you  start  applying  policy  and  so  forth. 

Coughlin  had  a  similar  experience  at 
Wyeth.  “You  might  have  scientists  who  cheat 


Stephen  Northcutt  ordered  an  independent 
audit  as  soon  as  he  was  hired.  “How  am  I  going 
to  say  later  that  I  made  2  PERCENT  PROGRESS 
without  a  baseline?” he  asks. 


on  drug  orders  and  people  who  take  bribes 
from  vendors  here,  and  cheating  and  bribes 
are  no  different  challenges  than  you  might 
face  in  a  financial  services  company,”  he  says. 
“What  is  unique  is  the  context;  biotech  is  an 
environment  which  is  like  college.  It’s  an  aca¬ 
demic,  campus  atmosphere,  so  I’m  not  going 
to  secure  it  the  same  way  I  would  a  financial 
services  company.” 

Serve  Milk  and  Cookies  in  Blue  Jeans 

This  odd  directive  is  a  composite  of  two  tech¬ 
niques  Northcutt  experienced  at  the  Navy. 
First,  he  held  regular  sessions,  open  to  any¬ 
one,  where  he  would  spend  a  half  hour 
explaining  some  technology  to  whoever 
wanted  to  know  more  about  it.  (It  didn’t 
need  to  be  limited  to  technology.  A  CSO  with 
broader  responsibility  could  spend  a  session 
talking  about,  say,  a  “clean  desk  policy”— 
keeping  sensitive  documents  from  prying 
eyes.)  Northcutt  served  milk  and  cookies  at 
these  informal  awareness  sessions. 

“You  have  to  understand  it  was  a  hostile 
environment  because  the  security  officer  there 
before  me  treated  everyone  like,  Show  me 
your  plan  and  I’ll  tell  you  what’s  wrong  with  it. 
I  mean  it  was  overt  hostility.  Getting  fired 
would  have  been  easy,”  Northcutt  says.  The 
awareness  sessions  made  him  less  fireable 
because  “people  realized  security  had  a  clue 
and  we  cared  about  the  same  things  they  did.” 

Or  maybe  it  was  the  free  milk  and  cookies. 

The  blue  jeans  thing,  Northcutt  says,  comes 
from  another  former  manager  of  his  who,  every 
Friday  at  2:30  p.m.,  set  aside  the  rest  of  the  day 

^  Stephen  Northcutt  says  many  potential 
security  executives  have  an  attitude  because 
they  are  underqualified,  which  makes  them 
“secretive,  edgy  and  stressed  out.” 


to  learn  something  technical.  The  manager,  a 
buttoned-down  type,  called  it  “blue  jeans  day” 
even  though  he  always  wore  business  casual 
and  kept  a  jacket  and  tie  handy. 

“It  was  great  because  he  knew  enough  that, 
when  you  needed  him  to  make  hard  deci¬ 
sions  or  operate  in  a  crisis,  he  knew  the  basic 
concepts,”  Northcutt  says.  “He  knew  what 
words  to  use,  and  people  respected  him.” 

Welcome  to  the  Business  Table 

This  is  a  two-step  process.  Step  one:  Bond 
with  the  other  suits. 

Don’t  tiy  to  win  influence  with  other  exec¬ 
utives  by  grabbing  power  or  competing  for 
resources.  “To  the  extent  you  can  bond  with 
legal,  risk  management,  audit,  IT  and  all  the 
others,  do  it,”  Humphrey  says.  “Match  up  the 
sound  bites,  merge  compliance  and  policy 
functions.” 

Then  there’s  alignment.  It  has  the  hollow 
ring  of  an  executive  cliche.  But  here’s  the 
thing:  If  you  don’t  do  it,  you  won’t  last  long. 

With  the  audit  committee,  especially,  you 
want  to  buddy  up.  “It  seems  to  me  the  idea  of 
competing  for  resources  with  audit  is  the 
shortest  path  to  going  away,”  says  Allan  Paller, 
research  director  of  The  SANS  Institute  and 
champion  of  the  CISO  function.  “If  you  part¬ 
ner  with  them  and  share  the  load  and  treat 
audit  with  due  deference,  you  have  a  shot.  As 
long  as  you  compete,  it  won’t  work.”  The  key 
here  is  not  to  subjugate  yourself  to  these  other 
executives.  You  must  view  yourself  as  their 
equal.  Just  don’t  fight  them. 

Step  two:  Crash  the  executive  party.  There’s 
no  point  in  explaining  this  in  any  other  way 
than  Humphrey  does,  so,  keeping  in  mind 
that  Humphrey  was  a  CSO  and  also  an 
extended  member  of  the  board  of  directors  at 
Digital,  listen  to  what  he  says. 


‘You  will  not  be  invited  into  the  executive 
circle  of  the  corporation  unless  you  elbow  your 
way  to  the  table.  Volunteer  for  committees 
and  workshops  outside  of  security.  I’ve  always 
pushed  my  junior  security  managers  to  do 
this,  and  in  a  very  short  period  of  time,  I  guar¬ 
antee,  nonsecurity  folks  will  come  to  you  and 
say,  Wow,  I  didn't  know  you  had  so  much  tal¬ 
ent  in  security. 

“I  might  also  tell  you  that  the  people  who’ve 
worked  for  me  have  gotten  accelerated  pro¬ 
motions  and,  throughout  America,  they’re 
known  as  Ray  Humphrey  Graduates,”  he  says. 
“They  are  redefining  the  CSO  role  because 
they  push  themselves  into  the  executive  circle.” 

Lose  the  ’Tude 

Many  executives  think  you  have  one.  A  bad 
one.  And  we’re  not  just  talking  about  infor¬ 
mation  security  officers,  either.  Even  tradi¬ 
tional,  physical  security  executives— younger 
ones  anyway— are  saddled  with  a  largely 
negative  perception. 

In  case  you  didn’t  notice,  we’ve  come  now 
to  the  soft  and  fuzzy  part  of  the  program, 
where  to-do  lists  get  tossed  aside  and  psy¬ 
chology  gets  pushed  to  the  forefront.  In  other 
words,  the  boardroom’s  out;  the  couch  is  in. 
It’s  time  to  learn  what  it  means  when  a  CEO, 
after  eliminating  the  CSO  or  CISO,  says, 
“There  was  just  something  about  him  that 
didn’t  fit  with  the  organization.” 

You’re  not  going  to  like  what  that  “just 
something”  about  you  is.  But  you  should 
know.  Swallow  hard  and  read  on. 

The  physical  security  chief,  according  to 
stereotype,  is  a  rigid  and  dogmatic  “top  cop” 
who  has  an  “arrest”  mentality  and  is  a  no-man 
as  opposed  to  a  yes-man. 

The  information  security  executive  comes 
across  as  arrogant,  a  know-it-all  who  is  whiny, 
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defensive,  uncooperative  and  doesn’t  try  to 
work  with  others  because  how  could  anyone 
possibly  understand  the  technical  challenges 
he  faces? 

Not  valid?  So  what.  Unfair?  Stop  whining. 
In  fact,  the  security  executive  who  raises  a  stink 
because  of  these  preconceptions  actually  feeds 
the  preconceptions.  “We  had  one  CSO  candi¬ 
date  for  a  Fortune  500  not  get  the  job,”  says 
Lenzner.  “And  he— I  can  hardly  explain  it,  but 
it  was  so  telling— lashed  out  about  how  the 
company  didn’t  know  anything.  He  was  angry. 
Like  a  child  that  didn’t  get  his  way.” 

Northcutt  believes  the  attitude  comes  from 
the  fact  that  many  CISO  candidates  are  under¬ 
qualified.  “They  are  stressed  out,  secretive, 
edgy  and  defensive  because  they  don’t  have  the 
understanding  or  mastery  of  tools  they  need,” 
he  says. 

At  any  rate,  he  explains  how  the  attitude 
plays  out  in  the  business  by  role-playing  as  if 
he  were  an  operations  executive  being 
approached  by  a  CSO.  “I’m  operations.  I  am 
the  business.  My  job  is  to  get  the  trains  run¬ 
ning  on  time.  My  bonus  depends  on  5  per¬ 
cent  better  operations.  A  huge  preponderance 
of  my  money  is  based  on  five  nines. 

“Then  some  security  guy  comes  in  and  says, 
‘Add  this  patch,”’  Northcutt  continues,  incred¬ 
ulous  and  in  a  mocking  tone.  “As  operations, 
what  do  I  want  to  do?  Take  a  bat  and  smash 
their  heads!  Security  whines,  but  above  that, 
they  say  no.  What’s  up  with  that?  We  are  the 
business,  Mr.  Security  Guy.  Go  figure  out  how 
to  tell  me  yes,  because  that’s  the  only  word  I 
want  to  hear.” 

In  gentler  tones,  Coughlin  says  CSOs  who 
come  in  with  a  criminal  justice  background 
also  take  the  wrong  tack.  ‘They’ll  come  around 
trying  to  scare  the  hell  out  of  you.  They  need  to 
shed  that  attitude.” 

Get  Downright  Humble 

It’s  not  just  about  losing  the  brash  front. 
You’ve  got  to  swing  to  the  other  extreme.  A 
humble  security  chief  is  in  the  best  position  to 
dictate  his  agenda  because  he  will  demon¬ 
strate  to  the  other  executives  that  their  stereo¬ 
types  are  wrong. 

We’re  defining  humble  quite  specifically 
here,  but  we’re  also  leaving  very  specific  traits 


out  of  the  definition.  Hum¬ 
ble  doesn’t  mean  sub¬ 
servient  or  compromising. 

It  doesn’t  mean  you  down¬ 
play  your  ability  or  confi¬ 
dence.  All  of  that  would  just 
make  you  inferior  to  other 
executives. 

Beyond  the  empirical 
definition  of  humble— that 
is,  the  opposite  of  arro¬ 
gant— there  are  three  facets 
to  how  we’re  defining  the 
term. 

First,  be  affable.  That 
comes  from  firsthand  expe¬ 
rience.  The  sheer  niceness 
of  some  of  the  most  suc¬ 
cessful  security  executives 
we’ve  encountered  during 
the  first  year  of  CSO’s  life 
has  smashed  our  precon¬ 
ceptions.  Those  CSOs  who 
aren’t  losing  their  jobs  are 
disarmingly  kind  and 
accommodating.  This  trait 
extends  to  crisis  situations 
too,  where  a  calmness  and 
unflappability  in  the  face  of 
a  major  incident  is  de 
rigueur  (see  “It’s  a  Small 
World  After  All,”  at  WWW. 
csoonline.com/printlinks). 

Lenzner  calls  it  “approach¬ 
able  confident  polish,”  and 
adds,  “These  guys  hold 
themselves  to  a  higher  level 
of  honesty  and  loyalty.” 

Second,  cooperate  with  and  rely  on  other 
CSOs.  This  hearkens  back  to  loyalty— security 
executives  honor  the  profession  as  much  as 
they  do  their  companies.  It  is  a  tight  group, 
almost  guildlike.  “You  pick  up  the  phone  and 
ask,  What  should  I  do?”  says  Wyeth’s  Coughlin. 
“Don’t  pretend  you  can  do  it  yourself.  Real-life 
experience  is  so  important,  and  if  you  don’t 
have  it,  someone  you  know  will.  The  security 
issue  transcends  competition.  We  have  to  coop¬ 
erate,  I  think,  to  a  point  that  CFOs  and  lawyers 
would  be  huffy  if  they  knew  how  close  we  were.” 

Kent  of  Genzyme  talked  to  his  peers  around 


the  block  about  a  neighbor¬ 
hood  security  program  as  he 
helps  secure  a  new  world 
headquarters,  even  though 
many  of  those  neighbors  are 
direct  competitors  to  Gen¬ 
zyme.  Says  Humphrey, 
“Crime  itself  recognizes  no 
institutional  boundaries, 
and  therefore  security 
should  not.  Good,  success¬ 
ful  CSOs  can  recognize  the 
ability  to  work  with  col¬ 
leagues  at  competitors 
without  sharing  proprietary 
information. 

“I  know  of  many  situa¬ 
tions  where— honest— a 
CSO  might  end  up  with 
competitive  intelligence. 
Say,  a  notebook.  And  with¬ 
out  exception,”  Humphrey 
says,  “he  will  call  his  col¬ 
league  at  the  other  company 
and  say,  ‘This  document 
belongs  to  you.  Here’s  who’s 
seen  it.  Nothing  more  will 
be  done  with  it.’  And  they’ll 
give  it  back.  That’s  the  kind 
of  honor  we’re  talking 
about.” 

Third,  be  patient.  The 
problem  with  having  a 
holistic  vision  of  security, 
which  CSOs  by  definition 
ought  to  have,  is  it  sparks  a 
human  impulse  to  realize 
that  vision  now.  All  at  once.  That,  in  turn, 
will  almost  definitely  alienate  you  from  other 
executives.  “Exercise  patience,”  says  Moore. 
“You  can’t  push  everything  at  once.  You  have 
to  prioritize.” 

Moore  says  his  own  plan  at  Merck  was  a 
“five-year  plan”  and  that  complete  buy-in  of 
security  as  an  executive-driven  function  took 
three  and  a  half  years.  It’s  a  virtue  for  a  reason. 

Be  Tom  Cruise 

There’s  an  English  proverb  that  says,  “Cheat 
me  in  the  price  but  not  in  the  goods.”  It  seems 
security  officers— particularly  information 


C-level  security  titles 
are  new  to  most 
companies... 

ARE  YOU  THE  FIRST  PERSON  AT 
YOUR  COMPANY  TO  HOLD  YOUR 
CURRENT  TITLE? 


...and  few  have  held 
their  spot  for  more  than 
three  years 

HOW  LONG  HAVE  YOU  BEEN  IN 
YOUR  CURRENT  POSITION? 


Less  than  1  year 
Between  1  and  2  years 
Between  2  and  3  years 
Between  3  and  5  years 
■I  More  than  5  years 
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security  officers— have  taken  this  to  heart  and 
have  learned  some  “shortcuts”  to  effectiveness 
in  their  jobs.  It’s  probably  not  a  coincidence 
this  somewhat  cynical  job  advice  came  from 
ISOs,  since  IT  traditionally  treats  security  as  an 
afterthought,  trivial  nonsense  that  threatens 
deadlines.  At  any  rate,  this  is  how  it’s  done: 

In  A  Few  Good  Men,  Tom  Cruise  as  Lt.  Kaf- 
fee  calls  two  Navy  airmen  into  the  courtroom 
who  provide  enough  uncertainty  to,  eventu¬ 
ally,  unravel  the  insolent  Col.  Jessup  played  by 
Jack  Nicholson.  Later,  we  find  out  the  air¬ 
men’s  presence  was  a  bluff;  they  were  decoys 
who,  if  called  to  testify,  had  nothing  to  say. 

So  be  Tom  Cruise.  Because,  at  times,  you’ll 
be  asked  to  provide  more  proof  than  you  have 
for  securing  a  project,  even  if  you  know  that 
not  securing  the  project  is  a  great  risk. 

A  CISO  at  one  of  the  world’s  largest  banks 
(he  requested  anonymity,  demonstrating  that 
he  knows  how  not  to  get  fired)  says  he’s  seen 
too  many  recklessly  insecure  programs  get 
deployed.  So  he  bluffs.  The  more  documenta¬ 
tion  on  hand  when  you  go  make  the  case  to 


be  looking  up  to  you.  Stopping  by  your  office. 
Taking  the  time  to  learn  what  exactly  it  is  the 
security  team  does  on  a  day-to-day  basis. 

It’s  also  when  they’ll  fund  you.  “What’s 
amazing  about  major  incidents,”  Northcutt 
observes,  “is  that  the  status  quo  ceases.  At 
that  moment  you  can  go  to  the  top  brass  and 
ask  them  for  anything  and  they’ll  do  it.  Boom. 

“And,  100  percent  of  the  time,  I’m  ready. 
I’ve  got  something  on  my  shopping  list.  And 
I’m  completely  brazen  about  it.  It  might  have 
nothing  at  all  to  do  with  the  incident  at  hand, 
but  I’ll  get  it.” 

In  both  cases,  you’re  cheating  a  little  bit. 
But  it  can  be  argued  that  if  bluffing  and 
opportunism  lower  risks  to  the  company, 
then  you  cheated  on  the  price  but  not  the 
goods.  You’ll  have  to  work  out  the  Machi¬ 
avellian  morals  yourself. 

Metrics,  Metrics,  Metrics 

Finally,  look  ahead  a  little  bit.  If  you’ve  pri¬ 
oritized  your  to-do  list,  you’ve  already  started 
looking  ahead,  in  a  way,  by  putting  off  some 


Paller  says.  “And  if  he  spends  this  kind  of 
money,  he  can  reduce  the  risk  but  by  how 
much,  he  doesn’t  know.  It’s  simply  not 
enough  data.  Every  other  C-level  executive 
does  better  than  that  and  takes  on  the  respon¬ 
sibility  for  defining  the  risk.  Here,  the  CISO 
is  putting  the  responsibility  on  the  CEO.  They 
don’t  want  it,  and  eventually  they  won’t 
take  it.” 

Create  the  X-Year  Plan 

Even  as  you  implement  all  of  the  above,  you 
should  have  an  overarching  vision  for 
security.  Genzyme’s  Kent  had  a  two-year 
plan  for  integrating  security  into  his  com¬ 
pany’s  culture.  Moore  had  to  build  security 
from  the  ground  up  at  Merck,  and  his  was  a 
five-year  plan. 

Moore  says  that,  almost  five  years  into  his 
job,  the  plan  is  nearly  fulfilled.  Merck  hadn’t 
employed  a  security  executive  before  Moore 
arrived.  Today,  though,  his  security  plan  is 
comprehensive  enough  that  he  talks  about 
coping  with  sudden  and  serious  security  issues 


“It  doesn ’t  matter  how  good  the  documentation 
is,  really.  It  just  has  to  weigh  a  lot  I  go  in 
withlHREE  GOOD  METRICS  and  seven  pounds 
of  paper  underneath  it.  ”  -anonymous  ciso 


operations  for  securing  a  project,  the  better, 
this  ISO  says.  “It  doesn’t  matter  how  good  the 
documentation  is,  really.  It  just  has  to  weigh  a 
lot.  There’s  a  fair  bit  of  marketing  involved 
here.  I  go  in  with  three  good  metrics  and  seven 
pounds  of  paper  underneath  it,  and  it  works.  It 
works  every  time.” 

Of  course,  you’ll  be  building  a  real  portfolio 
of  solid  data  (see  below),  but  you  knew  that. 

Be  Brazen 

Bill  Spernow,  the  CISO  at  the  Georgia  Stu¬ 
dent  Finance  Commission,  once  observed 
that  a  security  incident  has  a  half-life  of  about 
six  months.  After  a  major  security  incident, 
that’s  about  how  long  other  executives  'will 


projects  in  favor  of  others.  But  there  are  two 
other  tips  you  should  start  thinking  about. 

We  know  it’s  hard.  We  know  it  takes  time 
and  money,  but  eventually,  security  will  be 
completely  metrics-driven.  So  you  need  to 
develop,  cull  and  otherwise  employ  risk 
analysis  metrics  and  benchmarks.  It  will  sat¬ 
isfy  the  CEO’s  and  CFO’s  insatiable  appetite 
for  proof  of  your  worth.  Paller  at  SANS 
believes  you  should  devote  considerably  more 
financial  resources  to  developing  benchmarks 
than  you  do  today. 

“The  ISO  is  going  to  the  CEO  saying  there’s 
a  chance  something  bad,  and  possibly  some¬ 
thing  embarrassing,  could  happen.  But  how 
much  of  a  chance,  the  ISO  doesn’t  know,” 


like  SARS  (severe  acute  respiratory  syndrome) 
even  as  it  actively  spreads  overseas.  He 
explains  Merck’s  process  for  dealing  with 
SARS  with  respect  to  its  employees,  in  a  struc¬ 
tured  way,  in  great  detail,  and,  as  always, 
calmly  and  without  the  slightest  hint  of  panic. 

You  don’t  get  the  sense  Merck’s  going  to  let 
him  go  any  time  soon.  B 

Senior  Editor  Scott  Berinato  can  be  reached  via  e-mail 
at  sberinato@cxo.com. 


If  you  believe  that  imitation  is  the  highest  form 
of  flattery,  then  visit  CSOonline’s  SECURITY 
EXECUTIVE  RESEARCH  CENTER  to  read  pro¬ 
files  of  some  of  the  best  CSOs  in  the  business. 

Go  to  www.csoonline.com/executive. 
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Where  does  security  fit  into  the  organi¬ 
zational  chart?  CSOs  offer  plenty  of 
opinions,  hut  consensus  is  hard  to 
come  by. 


new  twist  on  an  old  joke:  Put  two  CSOs  together  in 
a  room  and  you’ll  get  three  organizational  charts. 

How  the  corporate  security  function  should  be  organ¬ 
ized  is  subject  to  much  debate.  Here’s  an  example.  Ed 
Casey,  Procter  &  Gamble’s  director  of  worldwide  corporate 
security,  reports  into  the  human  resources  department. 
“HR  is  all  about  people,  and  our  foremost  task  is  protect¬ 
ing  our  people  globally,”  he  says.  But  John  Pomeroy,  CSO 
of  Siemens  in  Canada,  rejects  that  arrangement  out-of- 

B  Y  MICHAEL  FITZGERALD 

hand.  “Culturally  it  just  doesn’t  work.  Human  resources 
typically  doesn’t  have  the  understanding  of  what’s  required 
for  a  total  security  package;  they’re  more  huggy-feely,” 
says  Pomeroy. 

Other  chief  security  officers  variously  advocate  secu¬ 
rity  reporting  into  facilities,  operations,  legal  and  even  in¬ 
formation  technology. 

Security  touches  every  department  of  an  organization. 
CSOs  have  to  forge  meaningful  relationships  with  other 
Chiefs  (Executive,  Financial,  Operations,  Information, 
Risk)  and  deliver  the  best  service  possible  at  a  minimum 
expense.  Particularly  vexing  now  is  the  question  of  how 
information  security  and  physical  security  groups  can 
most  effectively  work  together.  But  each  company  needs 
to  find  a  solution  that  best  matches  its  business  priorities, 
reduces  security  exposure  and  draws  the  necessary  amount 
of  executive  support  for  the  security  function. 
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Variations  on  a  Theme 

unfortunately,  the  industry  is  a  long  way 
from  establishing  best  practices  in  organiz¬ 
ing  security;  in  fact,  it’s  hard  to  discern  even 
common  practices.  Of  more  than  a  dozen  com¬ 
panies  interviewed  for  this  article,  no  two 
described  the  same  organizational  structure, 
responsibilities  and  reporting  relationships 
for  their  security  leaders. 

Procter  &  Gamble’s  Casey  handles  physical 
security,  but  he  also  deals  with  general  em¬ 
ployee  training  for  information  security  and 
with  investigations  of  physical  and  informa¬ 
tion  security  breaches.  Casey  develops  infor¬ 
mation  security  programs  with  P&G’s  CIO, 
whose  group  implements  security  technology 
but  does  not  have  the  resources  for  training 
or  investigation. 

Casey  says  his  team's  placement  within  HR 
is  a  key  reason  why  he  does  have  those  re¬ 
sources.  Every  Procter  &  Gamble  unit  and 
region  has  HR  personnel  who  can  coordinate 
and  handle  training.  HR  also  serves  as  the 
point  of  security  contact  for  all  personnel. 
However,  P&G  relies  on  security  champions: 
director-level  business  managers  who  are 

M  Ed  Casey,  director  of  worldwide  corporate 
security  at  Procter  &  Gamble,  says  reporting  into 
HR  reflects  his  top  priority:  protecting  employees. 

accountable  for  security  lapses  within  their 
groups,  be  they  product  development  leaks 
or  cyberintrusions.  Each  group  usually  has 
multiple  security  contacts— people  who  have 
volunteered  to  take  on  security  development 
and  coordination  for  their  units  and  who  work 
with  Casey’s  staff. 

But  where  Casey  says  human  resources 
gives  him  the  ability  to  get  things  done  that  he 
couldn’t  do  otherwise,  others  such  as  Pomeroy 
say  it’s  the  worst  possible  place  to  put  a  chief 
security  officer.  Likewise,  Pomeroy  says  facil¬ 
ities  is  the  wrong  function  to  handle  security 
(which  is  a  more  prevalent  approach)  because 
facilities  management  is  naturally  focused  on 
keeping  costs  down,  which  may  not  create  the 
best  security  environment. 

Pomeroy  was  Siemens  Canada’s  CISO  until 
2001,  when  he  proposed  that  the  company  put 
all  security— information  and  physical— under 
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one  person.  Siemens  gave 
both  responsibilities  to 
Pomeroy  and  also  created  a 
separate  risk  assessment 
position.  Pomeroy  now  re¬ 
ports  to  the  company’s  CFO, 
as  does  the  CIO.  The  com¬ 
pany’s  chief  risk  officer  also 
reports  to  the  CFO  (at 
Siemens  Canada,  the  CFO 
runs  everything  except  sales 
and  strategic  management, 
which  report  to  the  CEO). 

Prior  to  Pomeroy’s  appoint¬ 
ment  as  CSO,  physical  secu¬ 
rity  was  handled  by  various 
units  and  had  no  central  management.  Pom¬ 
eroy  now  coordinates  those  efforts  and  in  addi¬ 
tion  works  with  the  CIO  on  information 
security.  The  CIO’s  group  picks  technology 
and  implements  it,  but  not  until  Pomeroy  signs 
off  on  the  product.  Meanwhile,  the  chief  risk 
officer  handles  risk  mitigation  and  works  side 
by  side  with  Pomeroy.  He  says  one  key  advan¬ 
tage  of  having  a  true  CSO  is  that  everyone  in 
Siemens  Canada  knows  where  to  go  when  they 
have  a  question  about  security. 

Other  companies  describe  different  struc¬ 
tures  based  on  different  business  needs.  As 
director  of  corporate  security  at  Crown  Amer¬ 
ican  Properties,  Donald  Story  runs  all  aspects 
of  security  policy  for  the  company’s  shopping 
malls  but  has  little  to  do  with  information 
security.  Crown  has  relatively  uncomplicated 
IT  operations— and  has,  in  fact,  outsourced 
information  security.  Story  reports  to  the  sen¬ 
ior  vice  president  of  asset  management,  who 
in  turn  reports  to  the  company’s  CEO.  Physi¬ 
cal  security  personnel  report  to  each  mall’s 
general  manager,  which  is  the  norm  in  the 
mall  business.  Story  says  he  thinks  that 
arrangement  keeps  physical  security  respon¬ 
sibility  where  it  should  be— at  ground  level. 

For  many  companies,  today’s  structure  may 
not  work  tomorrow;  they  are  still  tinkering 
around  with  security  governance,  searching 
for  the  most  effective  combination.  One  For¬ 
tune  1000  medical  supply  distributor,  whose 
security  leader  declined  to  be  identified,  splits 
information  security  and  physical  security.  A 
vice  president  of  enterprise  security,  who 


focuses  on  information  sys¬ 
tems  security,  initially 
reported  to  the  company’s 
chief  privacy  officer.  Evolv¬ 
ing  HIPAA  requirements 
(the  Health  Insurance 
Portability  and  Account¬ 
ability  Act)  led  the  company 
to  eventually  move  the  CPO 
into  a  compliance  group, 
while  the  vice  president  and 
his  infosecurity  group  were 
shifted  into  the  CIO’s 
organization.  He  coordi¬ 
nates  with  counterparts  on 
the  physical  side  of  security 
where  appropriate  (but  has  no  official  con¬ 
nection  on  the  org  chart)  and  works  closely 
with  another  important  organizational  ally  for 
security:  the  audit  function. 

The  vice  president’s  group 
has  worked  hand  in  hand 
with  audit  personnel  in  the 
process  of  developing  infos¬ 
ecurity  policies.  “Audit  has 
been  a  powerful  tool  for 
enforcing  security  proce¬ 
dures,”  he  says.  The  distri¬ 
bution  company  generally 
operates  in  a  decentralized 
manner,  but  audit’s  baseline 
procedures  must  be  adhered 
to  by  all  parts  of  the  busi¬ 
ness.  Getting  audit  buy-in 
thus  gives  information  secu¬ 
rity  added  clout. 

Sticking  Point: 

Infosec 

what  to  do  with  informa¬ 
tion  security  is,  in  fact,  the 
biggest  point  of  controversy. 

The  idea  of  folding  infor¬ 
mation  security  in  with  the 
corporate  security  func¬ 
tion— as  illustrated  by  Pomeroy’s  new  respon¬ 
sibilities  at  Siemens  Canada— is  new  for  many 
companies,  but  that  structure  has  been  around 
for  a  long  time.  Eduard  Telders,  security  man¬ 
ager  at  Pemco  Financial  Services,  runs  every¬ 


thing  to  do  with  the  company’s  security- 
physical,  information,  all  safety  programs  and 
contingency  planning— and  has  for  more  than 
14  years.  In  the  eight  years  before  that,  he  did 
the  same  kind  of  job  at  a  different  company. 
Educated  as  a  marine  biologist,  he  wound  up 
in  information  systems  and  also  as  a  certified 
protection  professional,  or  CPP.  “Our  job  is 
risk  management.  The  only  difference  be¬ 
tween  physical  and  information  security  is  the 
toolkit,”  he  says.  Pemco  cross-trains  its  secu¬ 
rity  staff  to  deal  with  both  information  and 
physical  security  issues.  Telders  is  matter-of- 
fact  about  the  combination  of  labor,  unlike 
many  who  say  the  two  skill  sets  are  a  chal-. 
lenge  to  combine. 

Note  that  this  organizational  structure 
swipes  IT  security  from  the  CIO.  The  justifi¬ 
cation  for  doing  this  is  the  fox-in-the-henhouse 
problem.  That  is,  organiza¬ 
tions  are  not  good  at  self- 
policing.  At  Pemco,  Telders 
reports  to  the  CEO;  the 
company’s  chief  informa¬ 
tion  officer  (who  does  not 
have  information  security 
in  his  budget)  reports  to  the 
chief  operations  officer. 

Some  skeptics,  to  be 
sure,  argue  emphatically 
that  IT  and  physical  secu¬ 
rity  personnel  go  together 
like  cats  and  dogs.  Gartner 
Vice  President  of  Security 
Research  John  Pescatore 
calls  the  trend  toward  com¬ 
bining  them  a  fad.  Setting 
aside  the  oft-noted  cultural 
differences  between  the 
two  groups  (see  “Smack¬ 
down!”  at  www.csoonline 
.< com/printlinks ),  the  com¬ 
mon  refrain  is  that  manag¬ 
ing  these  different  types  of 
security  requires  two  very 
distinct  skill  sets.  “In  90 
percent  of  cases,  it  doesn’t  make  sense  to  try  to 
combine  physical  and  information  security,” 
Pescatore  says.  The  exceptions,  he  says,  are 
companies  that  are  responsible  for  other  com¬ 
panies’  data,  such  as  Web-hosting  services,  or 


_ I _ '  -4 


Security  silos  have 
yet  to  converge 

ARE  TRADITIONAL  AND 
INFORMATION  SECURITY 
COMBINED  AT  YOUR  COMPANY? 


Yes 

19% 


No 

81% 


NOTE:  408  RESPONDENTS 

1  RESEARCH 


' 


Most  companies  still 
place  infosecurity 
under  the  CIO 
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“Our job  is  risk  management.  The  only  DIFFERENCE 
between  physical  ana  information  security  is  the 
toolkit.  ” 


-EDUARD  TELDERS,  SECURITY  MANAGER,  PEMCO  FINANCIAL  SERVICES 


are  in  an  industry  where  IT  needs  are  simple, 
such  as  the  construction  or  retail  sectors. 

Some  other  companies  have  regulatory 
motivation  for  keeping  the  two  functions  sep¬ 
arate.  Many  financial  services  organizations 
face  regulatory  requirements  regarding  secu¬ 
rity  and  confidentiality  of  sensitive  data.  Bank¬ 
ing  functions  and  stock  trading  must  be 
managed  separately,  both  from  an  IT  and  a 
physical  security  perspective.  “You  can’t  have 
somebody  fixing  a  system  on  the  banking  side 
and  then  walking  over  to  fix  a  system  on  the 
trading  side,”  notes  a  management-level  secu¬ 
rity  professional  at  a  Wall  Street  firm,  who 
asked  not  to  be  identified.  While  adhering  to 


such  separation  does  create  inefficiencies,  par¬ 
ticularly  over  who  responds  to  issues  involving 
hacking,  it  eliminates  some  risks  inherent  in 
sharing  resources,  which  can  lead  to  breaches 
of  integrity  that  could  put  a  company  out  of 
business.  “The  biggest  thing  is  confidentiality,” 
says  the  Wall  Street  manager. 

However,  a  rapidly  growing  number  of 
practitioners  and  industry  watchers  say  the 
trend  is  logical  and  inevitable.  Within  five 
years,  “most  organizations  will  have  a  risk 
management  function  that  is  not  within  IT,” 
predicts  Chris  Byrnes,  vice  president  and  secu¬ 
rity  analyst  at  Meta  Group.  Byrnes  says  that 
function  will  include  a  number  of  things  cur¬ 


rently  on  CIOs’  plates,  such  as  disaster  recov¬ 
ery,  an  enterprise  program  management 
office,  architecture  issues  and  non-IT  risk 
functions  like  fraud  and  physical  security. 

“The  truly  sophisticated  companies  are 
starting  to  look  at  a  coordinated  approach  to 
physical  security,  information  security  and 
risk  management,”  says  Lance  Wright,  prin¬ 
cipal  at  the  Boyden  Global  Executive  Search 
company.  Wright  thinks  that  security  func¬ 
tions  will  become  strategic  to  organizations, 
much  as  what  happened  with  HR  depart¬ 
ments  years  ago.  “Companies  viewed  HR 
departments  as  just  overhead,  until  they  real¬ 
ized  that  management  of  your  human 
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Responsibility  Without  Authority 

This  org  chart,  from  a  networking  services 
company,  shows  how  CSOs  are  rising  in  the 
executive  ranks,  without  always  gaining  solid¬ 
line  authority  over  key  security  staff. 
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While  this  CSO  is  responsible 
for  setting  security  standards 
and  policies— dictating 
building  access  privileges,  for 
example— he  has  no  direct 
authority  to  oversee  the 
implementation  of  those 
access  privileges,  which 
instead  falls  to  the  heads  of 
operations  and  facilities. 

The  advantage  to  this  setup 
is  cultural.  It  embeds  security 
within  the  business  units.  The 
disadvantage  is  to  the  CSO, 
who  is  clearly  responsible 
when  things  go  wrong  but 
has  little  authority  to  effect 
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resources  was  as  critical  a  business  process  as 
any.  The  same  thing  will  happen  with  the 
management  of  security,”  he  says. 

Rising  to  the  Top 

wright’s  point  cuts  to  perhaps  the  most 
important  objective  in  security  governance: 
Until  top-tier  management  recognizes  secu¬ 
rity  as  a  critical  function  with  strategic  impact, 
security  of  all  sorts  wall  continue  to  get  shuf¬ 
fled  around  and  fail  to  obtain  adequate 


as  security  rises  in  importance.  Don  Cornell, 
principal  at  Security  Recruiters,  expects  to  see 
the  CSO  job  title  evolve  much  as  the  CIO  title 
did.  “In  the  old  days,  people  didn’t  understand 
what  a  chief  information  officer  was,  so  it 
couldn’t  possibly  be  a  C-level  job.  That 
changed  over  time;  I  think  that  will  happen  in 
the  security  field  as  well,”  he  says.  At  the  same 
time,  Cornell  notes  that  his  clients  rarely  ask 
him  to  fill  Telders-type  jobs,  preferring  either 
specific  candidates  for  physical  security  tasks 
or  information  ones.  He  thinks  this  will 


ing  relationship  I  have  with  the  president  and 
CEO,  I  can  cut  across  any  type  of  logistical 
issues,”  Walsh  says. 

Siemens’  Pomeroy  echoes  that  sentiment. 
“Security  should  have  one  individual  giving 
direction,  and  that  person  has  to  have  the 
blessing  of  the  CEO  and  the  CFO.”  Whatever 
the  org  chart  says,  wherever  the  CSO  may 
report,  top-level  executive  support  is  the 
grease  that  makes  the  security  machine  ulti¬ 
mately  effective. 

Without  it,  Pomeroy  says,  enforcing  secu¬ 


resources  to  get  the  job  done.  One  CSO  laugh¬ 
ingly  puts  it  this  way:  “After  all,  the  CEO’s 
going  to  want  to  fire  someone  important!' 
Jokes  aside,  a  single,  business-minded 
leader— a  CSO— managing  all  of  security  has 
the  best  chance  of  getting  that  level  of  execu¬ 
tive  buy-in.  To  build  a  security-minded  cor¬ 
porate  culture,  the  security  function  needs  to 
establish  a  beachhead  in  the  boardroom. 

For  this  reason  more  than  any  other,  many 
recruiters  say  dual-domain  CSOs  like  Pemco’s 
Telders  will  become  the  rule  for  organizations 


change  as  companies  continue  to  suffer  secu¬ 
rity  incidents. 

John  P.  Walsh  has  a  situation  that  most 
security  personnel  only  dream  of:  He  reports 
to  the  CEO.  Walsh,  vice  president  and  direc¬ 
tor  of  corporate  security  at  Stephens  Group  (a 
holding  company  in  Little  Rock,  Ark.,  that 
operates  one  of  America’s  largest  investment 
banks),  says  that  reporting  into  the  top  level 
“speaks  volumes  to  the  rest  of  the  organization 
in  terms  of  the  worth  and  relative  merit  of 
the  security  department.  Based  on  the  report¬ 


rity  mandates  “is  like  pushing  an  elephant  up 
a  hill.”  ■ 

Michael  Fitzgerald  is  a  freelance  writer  based  in  California. 
E-mail  feedback  to  Executive  Editor  Derek  Slater  at 
dslatemcxo.com. 


Should  CSOs  be  responsible  for  both  informa¬ 
tion  security  and  physical  security?  When  does 
it  make  sense  to  separate  these  functions?  Go 
online  and  read  TALK  BACK,  an  interactive 
column  on  CSOonline,  and  then  tell  us  what  you 
think.  Go  to  www.csoonline.com/talkback. 
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Mitnick‘s  Social  Engineering  In  2  Days 
Wireless  Network  Security  In  4  Days 
Professional  Hacking  In  7  Days 
Computer  Forensics  In  3  Days 
Security+/TICSA  In  6  Days 
Check  Point  In  6  Days 
CCSP®  In  12  Days 
CISSP® In  7  Days 
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is  given  to  extreme  pi 


ment.  May  aims  some  of  his  most  vitriolic  opinions 
straight  at  the  security  community,  which  he  says  has 
misbranded  and  miscommunicated  itself  into  organi¬ 
zational  irrelevancy.  His  solution:  a  “geek-to-suit 
messaging  architecture”  to  help  information  secu-  J 
rity  pros  connect  with  corporate  leadership.  May  jl 


Executive  Editor  Derek  Slater, 


CSO:  What  got  you  going  on  geek-to-suit  messaging?  V 
Thornton  May:  I’ve  spent  the  past  17  years  watching  \ 

CIOs  slam  into  the  brick  wall.  I  think  technology’s  been 
misbranded.  Brands  make  things  easier  [to  understand]. 
Brands  are  a  promise.  Brands  embody  trust,  basically. 
Right  now,  if  you  look  at  what’s  happening  in  the  IT 
•world,  there  is  a  total  lack  of  trust.  And  we’re  moving  to 
a  totally  customer-driven  world,  where  the  customers  are 
very  brand  aware  and  brand  savvy. 

With  regard  to  the  security  area,  in  my  days  with 
[managed  security  services  provider]  Guardent,  I  did  a 
giant  job  — basically 


analysis  and  assessment  of  what 
was  going  on,  securitywise,  for  a  major  client.  And  its 
[security]  guys  made  CIOs  look  eloquent.  If  you  look  at 
the  IT  message  ecosystem— what  messages  are  being 
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sent,  who  are  they  being  sent  by.  what  form  are  they  being 
sent  in,  who  are  they  being  sent  to  and  the  ultimate  impact 
of  their  receipt— there  is  so  much  wasted  effort.  [The  mes- 
saging]  is  not  designed  to  produce  an  effwacious  impact. 
That  is  the  real  challenge  for  CSOs  right  now:  Their  mes¬ 
sage  is  so  totally  uncompelling. 


Given  the  world  we  live  in  today,  how  can  that  be? 

Exactly!  How  can  security  be  uncompelling  in  a  world  that 
is  screaming  for  it?  These  [CSO]  guys  couldn’t  sell  water 
to  a  man  on  fire.  They  are  gifted,  gifted  nonbranders!  The 
reason  is  that  they  never  got  the  idea  that  80  percent  is 
good  enough.  If  I  have  to  go  to  one  more  conference  where 
everybody  gets  up  and  throws  themselves  on  the  cross  of, 
“You  will  never  be  totally  secure....”  OK,  then,  how  secure 
are  we?  “Uh...I  can’t  tell  you.”  OK,  well  then  I’ll  just  sit  here 
and  do  [absolutely]  nothing!  Because  that’s  what  you’re 
doing  for  me.  The  security  guys  offer  no  path,  no  promise. 


What  about  the  hypothesis  that  they  are  so  completely 
earnest  as  to  be  incapable  of  BS? 

No,  I  don’t  even  think  that’s  it.  That’s  putting  it  in  a  cloak 
of  nobility.  I  think  they’re  so  into  their  cult,  their  own  Kool 
Aid,  that  [they  say,]  “I’m  the  only  person  who  knows  how 


The  CSO  Role  |  Interview 


“ The  way  organisms  survive  in  a  high-stress  world  is 
they  collaborate  and  work  together.  Security  people 
DO  NOT  COLLABORATE  and  do  not  work  together.” 

-THORNTON  MAY 


bad  it  is.”  The  way  organisms  survive  in  a 
high-stress  world  is  they  collaborate  and 
work  together.  Security  people  do  not  col¬ 
laborate  and  do  not  work  together.  I  don’t 
see  them  rolling  up  their  sleeves  and  saying, 
Let’s  solve  this  problem  together. 

We  certainly  have  seen  repeatedly  the  amaz¬ 
ing  rift  and  dislike  between  the  infosecurity 
guys  and  the  corporate  security  guys. 

There’s  been  no  attempt  to  make  them  play 
nicely  together,  culturally.  Basically,  the 
Mensa  guy  walks  in  and  calls  corporate 
security  the  “dog-and-gun  guys.”  And  those 
guys  call  the  computer  guys  “the  geeks.” 
They’re  not  on  the  same  page.  They’re  not 
playing  on  the  same  team.  Their  social  net¬ 
works  have  never  been  brought  together. 

What’s  your  solution?  Is  it  a  set  of  processes 
for  translating  the  “geek”  message  into  some¬ 
thing  that  the  CEO  can  understand? 

The  secret  is  that  there  is  no  geek  message. 
There  can’t  be.  I  went  to  a  major  event 
sponsored  by  McKinsey,  with  the  top  guys 
at  Shell.  The  McKinsey  guy  keeps  saying, 
“You’ve  got  to  get  IT  aligned  with  the  busi¬ 
ness.”  And  the  chairman  of  Shell  says,  “Son, 

I  don’t  think  you  understand.  At  Shell,  there 
is  no  such  thing  as  an  IT  project.  There  are 
business  projects  that  have  IT  stuff  in 
them.”  There’s  no  such  thing  as  a  security 
project.  Right  now,  security  is  not  a  feature 
in  anybody’s  product  or  service.  It  could  be  a 
critical  differentiator— the  new  secret  ingre¬ 
dient.  That’s  why  branding  is  so  important. 

Have  you  seen  anyone  do  it  right?  Does  any¬ 
body  get  the  concept? 

Not  really.  At  American  Express  they’re  get¬ 
ting  there,  the  whole  Blue  thing.  [“Blue”  is 
an  AmEx  credit  card  brand  with  embedded 
smart-chip  technology  for  enhanced  security 


in  online  shopping.]  Security  was  part  of 
that  brand,  but  right  now  people  are  puck¬ 
ered  up  with  regard  to  cost  savings.  And  then 
security  guys  label  themselves  by  saying, 

“This  is  going  to  cost  you  a  lot  of  money,  but 
you  have  to  do  it.”  And  CEOs  just  respond,  “I 
don’t  have  to  do  it.” 

Are  you  telling  me  that  companies  can’t 
do  something  with  security  that  makes  them 
money?  That  security  doesn’t  touch  any  of 
your  customers?  We  haven’t  embedded 
security  behaviors  or  thinking  or  functional¬ 
ity  in  the  value  stream.  We’re  selling  nega¬ 
tives,  not  positives. 

So  if  you  were  to  create  a  CSO  training  film, 
with  the  proper  use  of  messaging  and  brand¬ 
ing,  how  would  the  scenario  go? 

I  would  show  you  people  who  are  building 
online  relationships  with  their  customers; 
and  why  do  they  choose  you ?  One  of  the 
reasons  is  that  you’re  secure  and  you  have 
the  easiest-to-use  security....  How  do  you 
raise  awareness  that  there  are  differentiated 
levels  of  security?  I  think  the  financial  serv¬ 
ices  [companies]  have  taken  the  wrong 
tack.  The  banks  [should,  but  don’t]  compete 
against  each  other  vis-a-vis  “I’m  more  secure 
than  the  other  guy.” 

Part  of  the  problem  seems  to  be  messaging 
between  geeks  and  their  internal  customers. 

That  is  actually  a  simpler  message.  Security 
people  don’t  listen.  Great  communication 
requires  listening.  Security  people  are 
always  in  broadcast  mode,  never  in  receive 
mode,  because  they  are  telling  you  what  to 
do.  At  American  Express,  for  all  its  major  IT 
projects  going  forward,  [CIO  Glen  Salow] 
and  his  senior  staff  basically  go  through  a 
two-to-three-day  risk  review  exercise.  They 
analyze  those  projects  on  50  dimensions  of 
IS  risk  and  business  risk  and  give  them  a 


rating  [which]  they  compare  against  a  data¬ 
base  of  7,000  previous  projects.  Projects 
don’t  go  [forward]  unless  they’re  secure. 

So  what  security  people  need  to  do  is.... 
Well,  they’re  [often]  not  even  at  the  table 
when  you’re  designing  a  project.  (Actually, 
that’s  not  too  much  of  a  problem  right  now 
because  there  are  no  new  projects!)  But  the 
whole  idea  of  a  CSO  is  intriguing  because, 
well,  what  is  the  role  of  the  CSO  versus  that 
of  the  CIO?  Is  the  CSO  responsible  for  all 
the  secure  systems  in  the  enterprise,  whereas 
the  CIO  is  in  charge  of  the  insecure  systems? 

Your  great  opportunity  [with  this  maga¬ 
zine]  is  that  there  may  be  an  identity  crisis 
for  CSOs  right  now  because  they  haven’t 
made  enterprises  more  secure.  What  they’ve 
done  is,  they’ve  centralized  blame. 

Maybe  that's  true.  We’ve  seen  a  lot  of  firings. 

Yeah,  they’re  really  going  after  these  guys 
because  they’re  not  happy  with  them....  If 
you’re  not  liked  and  you  don’t  have  a  power 
base,  how  are  you  going  to  win?  It’s  Machi¬ 
avellian,  but  if  [the  suits]  don’t  like  you,  you 
cost  them  money,  and  they’re  just  paying 
lip  service  to  you,  what’s  your  future? 

I  think  the  evolutionary  path  of  the  CIO 
is  very  relevant.  It  has  significant  lessons  to 
teach  us  about  the  evolution  of  the  CSO. 
Looking  back,  where  did  the  initial  CIOs’ 
ideas  come  from?  A  lot  of  them  came  from 
the  vendors,  from  the  technical  community. 
And  I  would  say  that  analogy  [has  merit] 
right  now.  A  lot  of  CSOs  are  [in  the  role] 
because  they’re  championing  some  kind  of 
technology.  Among  the  first  things  CIOs 
did  was  append  technology  to  existing  busi¬ 
ness  processes.  We  are  now  appending  secu¬ 
rity  to  existing  IT  processes.  That  process 
is  exothermic  as  opposed  to  endothermic; 
it  consumes  energy  instead  of  releasing 
energy'.  In  an  energy-saving  environment, 
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OK,  you  gifted  nonbranders:  Speak  up.  Why 
can’t  CSOs  communicate?  Go  online  and  tell  us 
what  you  think,  T ype  the  DocID  NUMBER 
(1380)  into  the  search  box  to  post  a  comment 

at  www.csoonline.com. 
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cer]  Dennis  Devlin  at  [information  service 
provider]  Thomson.  In  these  holding  com¬ 
panies,  they  run  a  pretty  tight  ship.  For 
something  like  44,000  employees,  there’s 
a  total  headquarters  staff  of,  I  think,  80 
people;  and  the  IT  group  is  like  15  people. 
So  Dennis  actually  has  a  chance  to  get  the 
message  through  because  he’s  one  of  only 
15— versus  people  with  herds  and  herds. 


What  do  you  recommend  for  those  in  gigantic 
organizational  blobs?  Pick  their  targets, 
work  on  key  relationships,  one  at  a  time? 

I  like  that  idea.  It’s  almost  a  counter¬ 
insurgency  thing.  You’ve  gotta  choose  and 
infiltrate  the  social  networks  of  the  organi¬ 
zation.  Now,  there’s  no  basis  for  trust. 


In  the  earliest  issues  of  our  sister  publication, 
CIO,  we  ran  stories  advising  readers  to  do 
things  like  play  golf.  Get  out  and  shmooze. 
Should  CSOs  heed  that  advice  as  well? 

Shmoozing  is  not  a  relationship,  it’s  not 
trust.  The  thing  that’s  nice  about  golf  is  it 
puts  you  in  a  shared  space  with  someone. 
But  putting  people  who  detest  each  other 
in  a  shared  space  isn’t  going  to  make  the 
problem  go  away.  You’ve  got  to  create  an 
opportunity  for  shared  spaces  where  they 
can  figure  out  you’re  not  a  bad  person,  and 
you  can  create  a  way  of  working  together. 


So,  you  get  in  the  shared  space.  But  then  you 
have  to  demonstrate  that  you're  there  to 
listen,  not  simply  to  pontificate. 

Right.  Because  [the  CSO’s]  agenda  isn’t 
going  to  win.  The  chairman  is  not  going  to 
go  to  bat  for  the  security  person.  The  entire 
suit  population  is  very  political;  they’ve  got 
agendas.  What  the  security  person  should 
do  is  get  inside  those  agendas  and  help 
make  them  successful. 

It’s  not  really  geek-to-suit  translation; 
it’s  suit-to-geek  translation,  [with  the  suit 
saying]:  “This  is  what  I’m  trying  to  do. 
What  have  you  got  for  me?”  ■ 


that’s  a  problem.  Ultimately,  people  saw 
that  business  runs  better  with  IT  [embed¬ 
ded  in  it].  And  we’ve  got  to  get  to  the  point 
of  seeing  that  IT  processes  work  better  when 
you  have  security  embedded  in  them. 

It’s  going  to  be  very  difficult  to  get 
through  that  right  now  because  we’re  in 
this  terrible  budget  squeeze.  But  we  need  to 
answer  the  question:  How  do  I  actually 
make  money  with  security? 

So  the  geek-to-suit  messaging  architecture  is 
that  the  geek  has  to  change  the  message, 
communicate  in  business  terms  and  embed 
security  in  every  business  project? 

You  asked  the  question  the  right  way  up 
front.  In  a  world  that  is  so  security  aware, 
how  is  it  that  security  people  aren’t  getting 
any  traction?  I  think  it  may  be  that  we’re 


trying  to  do  the  wrong  things,  and  we’re 
definitely  delivering  the  wrong  messages. 

It  took  a  long  time  for  CIOs  to  get  the  hang  of 
geek-to-suit  messaging... 

And  they  still  aren’t  there! 

Which  suggests  this  could  be  a  long  and 
difficult  process  for  security. 

It  could  be.  But  security  is  like  penicillin: 

It’s  so  powerful  and  so  authentic.  [The 
problem  is]  the  accessibility  of  the  message. 
We  need  a  security  Sputnik  to  happen. 
Eisenhower  used  Sputnik  brilliantly  to  say, 
“We  need  to  upgrade  our  math  and  science 
skills.”  I  think  today  we  need  to  upgrade 
our  basic  technology  literacy. 

A  few  people  are  doing  this  well,  such  as 
[vice  president  and  corporate  security  offi¬ 


June  2003  www.csoonline.com  57 


ftPUPPY 

••• 


Sony  Puppy1-  Fingerprint  Identity  Products 


Network  Login 
/Password 


File  Security 
Encryption 


VPN  /  Remote  Access 
Digital  Certificate 


Web  Portal 

Password 


Paperless  Contracts 
Digital  Signature 


fa  j  ‘MiaHfl 


-  * 


©  2003  Sony  Electronics  Inc.  Reproduction  in  whole  or  in  part  without  written  permission  is  prohibited. 

All  rights  reserved.  Sony,  Memory  Stick,  and  Puppy  are  trademarks  of  Sony.  Dog  image©  artlist  INTERNATIONAL. 


IT  DOESN’T  JUST  RECOGNIZE  YOUR  FINGERPRINT; 


VISIT  WWW.SONY.COM/PUPPY  FOR  INFORMATION  ON 
SONY’S  FULL  LINE  OF  FINGERPRINT  IDENTITY  PRODUCTS. 


FIU-900 
Memory  Stick* 
Fingerprint  Identity  Token 


IT  RECOGNIZES  YOU. 


FIU-710 

Fingerprint  Identity  Token 


FIU-600 

Fingerprint  Identity  Device 


When  you  consider  Sony's  background  in  imaging  and  electronics,  it's  not  surprising  that 
the  line  of  Puppy®  Fingerprint  Identity  Products  is  the  Work  Smart  approach  to  security. 


Password-protected  Web  sites  and  applications  can  now  be  accessed  without  having  to  remember  a  long  list 
of  passwords.  Simply  place  your  finger  on  the  pad,  and  click,  you're  there!  Unlike  a  password,  your  fingerprint 
can't  be  forgotten  or  stolen!  The  Sony  line  of  Puppy®  Fingerprint  Identity  Products  provides  personal 
authentication,  network  access,  and  file  encryption,  as  well  as  more  robust  public  key  infrastructure  (PKI) 
transactions,  personal  digital  certificates,  and  Virtual  Private  Networks...  all  accessible  at 
a  touch  within  your  existing  IT  infrastructure.  And  there's  no  way  someone  else  can  ever 
gain  access  to  your  fingerprint  file,  because  its  record  never  has  to  leave  the  device.  Unlike 
other  fingerprint  ID  systems,  only  Sony  can  scan,  match  and  store  your  private  fingerprint 
information  onboard.  How's  that  for  secure? 


Work  Smart.  Work  Sony. 


Technologies^  Tools 
and  Tactics 


m 


. 


WM 


i'K 


Information  Warfare : 
What  Is  It  Good  For? 

In  this  case,  the  best  offense  is  a  good  defense  By  Simson  Garfinkel 


ASN’T  fallen  yet,  but  it  soon  may.  At  least 
at’s  been  the  message  repeated  for  more  than  a  decade 
computer  security  professionals,  military  planners  and 
multiple  blue-ribbon  commissions.  All  have  warned  of  an 
impending  “Digital  Pearl  Harbor”  in  which  U.S.  com¬ 
puters  will  be  hit  hard  by  foreign  governments  or  terror¬ 
ists  employing  a  variety  of  electronic  attacks.  The  result, 
we’re  told,  will  be  damage  to  critical  infrastructures,  mas¬ 
sive  economic  loss  and  perhaps  worse. 

Let’s  face  it:  Cyberattacks  are  easy.  In  August  2000,  an 
employee  at  an  Internet  news  service  published  a  fake 
press  release  for  Emulex  and  caused  the  company’s  mar¬ 
ket  capitalization  to  drop  by  $2.5  billion.  SQL  Slammer 
used  a  vulnerability  that  had  been  known  about  for 
months,  causing  significant  damage,  and  it  could  have 
wiped  the  hard  drive  of  eveiy  infected  system— if  only  its 
author  had  been  more  vindictive. 

Since  the  early  1990s,  it’s  been  clear  that  an  organized 
attack  over  the  Internet  or  other  data  networks  could 
seriously  disrupt  not  just  civilian  but  military  targets  as 
well,  thanks  to  increased  interconnections.  In  the  1980s, 
a  group  of  West  German  hackers  broke  into  more  than  40 
sensitive  computer  systems  at  the  departments  of  Defense 
and  Energy,  and  NASA.  During  the  first  Gulf  War,  hack¬ 
ers  from  the  Netherlands  broke  into  34  DoD  systems— 
including  the  computers  that  abort  ships  in  the  theater  of 
operations.  In  1995,  an  Argentinean  hacker  broke  into 
DoD,  NASA  and  Los  Alamos  National  Labs  systems  that 
contain  information  on  aircraft  design,  radar  technol- 
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ogy  and  satellite  control  systems.  In  Feb¬ 
ruary  1998,  two  teenagers  from  Califor¬ 
nia,  tutored  in  the  art  of  hacking  by  an 
18-year-old  Israeli,  broke  into  other  DoD 
systems.  In  each  of  these  cases,  had  the 
hackers  been  suitably  motivated,  they 
could  have  caused  substantial  damage  to 
U.S.  national  security. 

Given  all  that,  why  didn’t  the  Iraqi 
military  start  attacking  us  in  cyberspace 
when  we  started  bombing  their  country? 
At  the  very  least,  why  didn’t  Iraqi  sym¬ 
pathizers  and  angry  youths  walk  in  from 
the  Arab  Street  and  start  pounding  us 
from  their  keyboards?  When  I  called  my 
friends  in  Washington  and  asked  them 
that  question,  their  answer  was  simple: 
The  nation’s  digital  security  has  gotten  a 
lot  better  in  the  past  two  years. 

Lines  of  communication  that  did  not 
exist  even  two  years  ago  have  opened 
between  law  enforcement,  the  military, 
commercial  providers  and  businesses. 
Administrators  and  software  providers 
have  become  far  more  aggressive  about 
deploying  security  technology  like  virus 
scanners  and  applying  security  patches. 
As  a  result,  those  running  the  national 
information  infrastructure  are  now  in  a 
much  better  position  to  deal  with  cur¬ 
rent  attacks.  Yes,  we’re  still  vulnerable  to 
worms  and  viruses,  but  those  attacks  are 
less  likely  to  jeopardize  lives.  The  Hoover 
Dam  is  secure. 

And  yes,  some  teenage  hacker  with  a 
few  hundred  “zombies”  on  the  Internet 
can  use  those  assets  to  launch  a  distrib¬ 
uted  denial-of-service  attack  against  a 
website.  With  just  a  few  mouse  clicks, 
the  teenager  might  cause  6Gbps  of  traf¬ 
fic  to  bear  down  on  some  hapless  victim. 
But  aggressive  monitoring  now  picks  up 
these  attacks  shortly  after  they  start. 
Once  identified,  it  takes  only  a  few  phone 
calls  to  update  a  router  configuration  and 
neutralize  the  onslaught. 

During  the  war  in  Iraq  we  experienced 
an  upsurge  in  low-level  denial-of-service 
attacks  against  websites,  but  for  the  most 
part  these  attacks  appear  to  have  been 
the  work  of  relatively  unsophisticated 
and  underfunded  sympathizers. 

Iraq  of  the  1990s  simply  wasn’t  a  good 
place  for  aspiring  information  warriors 


to  develop  their  skills.  What’s  more, 
those  individuals  with  highly  marketable 
computer  skills  were  more  likely  to  leave 
the  country  than  to  serve  the  regime. 
Countries  such  as  China,  England, 
France  and  Russia  all  have  info-war 
capabilities;  Iraq  didn’t. 

Ironically,  probably  the  most  success¬ 
ful  cyberspace  attack  of  the  2003  Gulf 
War  appears  to  have  been  a  U.S.- 
originated  attack  against  the  English  lan¬ 
guage  version  of  the  A1  Jazeera  website; 
whether  it  was  an  official  attack  of  the 
U.S.  military  or  the  act  of  homegrown 
hackers  sympathetic  to  the  U.S.  position 
remains  unclear. 

Lessons  from  the  Front 

To  understand  what  all  this  means  for 
CSOs,  it’s  helpful  to  look  closer  at  the 
U.S.  military’s  own  thinking,  planning 
and  response. 

Within  the  U.S.  military,  the  phrase 
“information  warfare”  really  covers  a 
broad  spectrum:  blowing  up  bridges  that 
contain  fiber-optic  cables,  dropping 
leaflets  urging  troops  not  to  use  weapons 
of  mass  destruction  or  using  intelligence 
to  aim  2,000-pound  bombs  on  “leader¬ 
ship  targets.”  For  the  military,  “infor¬ 
mation  warfare”  really  means  using 
information  to  multiply  the  effectiveness 
of  traditional  war-fighting  capability.  It 
includes  the  millions  of  e-mails  and  text 
messages  sent  to  Iraqi  commanders.  It 
also  includes  the  practice  of  deception 
against  the  enemy  and  the  use  (or  manip¬ 
ulation)  of  the  news  media.  The  decision 
to  embed  journalists  with  its  forward 
troops,  for  example,  was  a  marvelously 
successful  part  of  the  U.S.  military’s 
information  warfare  strategy. 

When  computer  geeks  think  of  infor¬ 
mation  warfare,  their  minds  turn  to 
hacking  and  cracking:  shutting  down 
communications  networks  by  penetrat¬ 
ing  their  routers  and  wiping  out  config¬ 
uration  files;  planting  viruses  inside 
enemy  e-mail  systems;  grounding  enemy 
aircraft  by  diverting  fuel  trucks  to  the 
wrong  bases.  Most  military  planners  clas¬ 
sify  these  operations  as  cyberwar. 

It’s  hard  to  write  knowledgeably  about 
our  government’s  offensive  information 


Access, 

Unlimited 

If  your  company’s  name  badges  merely  get  employ¬ 
ees  through  the  front  door,  you’re  out  of  date. 

Access-control  technologies  now  mean  that  ID 
cards  can  be  used  to  store  attendance  and  health 
records,  log  users  on  to  their  computers  or  pay  for  a 
Coke  from  the  soda  machine  downstairs.  CSOs  can 
program  cards  to  turn  electricity  and  air-conditioning 
off  and  on,  limit  employee  access  by  time  of  day  or 
location,  and  give  traveling  executives  access  to  the 
Amsterdam  office.  “Access  control  is  now  based  on 
an  integrated  system  of  technology.  We  are  at  com¬ 
puter-based  operations  that  are  enterprisewide,”  says 
Marc  Bradshaw,  president  of  the  International  Associ¬ 
ation  of  Professional  Security  Consultants.  Embedded 
smart  card  technology,  in  particular,  has  changed  the 
game  in  access  control. 

Swipe  cards  are  pretty  much  passe,  giving  way  to 
proximity  cards— access  cards  that  work  within  12  to 
14  inches  of  a  reader.  Smaller  and  cheaper  memory 
chips,  made  possible  through  technological  advance¬ 
ments,  are  now  often  embedded  in  smart  cards,  mak¬ 
ing  access  control  more  affordable— even  for  small 
companies.  And  on  the  move  up,  biometrics.  Although 
in  use  mostly  by  government  operations,  biometrics  is 
slowly  permeating  private  industry  and  will  be  the  next 
big  thing  in  access-control  security,  says  Bradshaw. 

HID  Corp.  (www.hidcorp.com),  a  manufacturer  of 
contactless  readers,  offers  numerous  types  of  smart 
cards,  including  both  traditional  swipe  cards  and 
proximity  cards.  HID  says  forthcoming  generations  of 
technology  will  include  imbedded  chips  that  store 
information  such  as  when— and  at  which  locations — 

cardholders  can  access 
certain  buildings.  Of  the 
cards  offered  by  HID, 
proximity  cards  tradi¬ 
tionally  have  offered  the 
best  security  and  con¬ 
trol.  But  Deb  Spitler, 
vice  president  of  mar¬ 
keting,  says  new  smart 
cards  utilize  encryption 
and  mutual  authentica¬ 
tion  that  raise  the  bar. 
HID’s  iCIass  suite 
includes  a  contactless  smart  card  with  read  and  write 
capabilities.  Unlike  proximity  cards,  contactless  smart 
cards  can  contain  information  married  to  the  individ¬ 
ual  user— such  as  health  records,  which  make  it  easier 
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warfare  capability;  the  capability  is  largely 
classified.  But  sources  tell  me  that  much 
more  money  is  spent  on  defensive  meas¬ 
ures  than  offensive  ones.  That’s  because 
every  military  installation  is  responsible 
for  defending  its  own  computers.  But 
because  cyberwar  is  so  new,  relatively 
untested  and  specialized,  a  decision  to 
launch  a  cyberweapon  could  be  made 
only  at  the  military’s  highest  levels.  If  a 
commander  in  the  field  wanted  to  shut 
down  an  enemy  e-mail  server,  it  would  be 
far  easier  to  simply  bomb  a  building  than 
go  through  channels  to  do  something 
digital.  Top  brass  would  likely  feel  the 
same  way:  Our  military  officials  under¬ 
stand  the  political  fallout  of  accidentally 
bombing  the  wrong  building;  they  don’t 
know  what  would  happen  if  they  released 
a  computer  worm  that  “accidentally”  shut 
down  the  Internet  for  a  few  days. 

The  U.S.  military  actually  has  a  huge 
incentive  to  have  politicians  group  cyber¬ 
weapons  in  the  same  category  as  poison 
gas  and  germs— that  is,  weapons  that  are 
simply  too  terrible  to  use.  That’s  because 


cyberweapons  are  cheap:  If  their  use 
against  the  enemy  is  legitimized,  then  their 
use  against  our  own  civilian  infrastructure 
is  potentially  legitimized  as  well.  That’s 
why  if  we  are  attacked  with  cyberweapons, 
our  military  is  probably  more  likely  to 
respond  with  conventional  weapons. 

Surprisingly,  CSOs  are  faced  with  this 
same  calculus  when  their  systems  are 
attacked  in  cyberspace.  If  a  hostile  cus¬ 
tomer  shows  up  at  your  office  with  a  gun 
and  starts  shooting,  it’s  entirely  appropri¬ 
ate  for  an  armed  security'  guard  to  respond 
with  deadly  force— in  fact,  the  courts 
would  see  this  as  an  exercise  in  self- 
defense.  But  if  that  same  hostile  customer 
were  to  launch  a  cyberspace  attack  against 
your  servers,  it  would  be  utterly  inap¬ 
propriate  to  respond  by  hacking  that  cus¬ 


tomer’s  desktop  computer  or  DSL  modem. 
A  more  reasonable  approach  would  be 
to  report  the  attack  to  law  enforcement  or 
sue  the  customer  in  the  civil  courts. 

That  is  a  decision  you  might  need  to 
make  some  day.  Like  the  military,  many 
businesses  are  essentially  developing  an 
offensive  cyberwar  capability  as  part  of 
their  effort  to  defend  themselves.  If  you 
have  an  antivirus  system,  then  you  have 
a  collection  of  intercepted  viruses  that 
you  could  easily  e-mail  to  your  attacker. 
Many  of  today’s  network  scanners  will 
happily  launch  destructive  scans  at  the 
click  of  a  button.  In  order  to  effectively 
audit  their  systems,  most  security  admin¬ 
istrators  have  learned  how  to  hack. 

What’s  more,  businesses  are  increas¬ 
ingly  finding  themselves  in  situations 
where  “hacking  back”  seems  like  the  only 
reasonable  alternative.  Law  enforcement 
won’t  care  that  your  organization  has 
been  attacked  unless  you  have  significant 
monetary  damage.  Meanwhile,  you  may 
not  be  able  to  file  a  lawsuit  unless  you 
can  identify  the  perpetrator,  which  may 


be  difficult  if  the  attack  originates  from  a 
server  in  China.  Wouldn’t  it  be  much  eas¬ 
ier,  cheaper  and  faster  to  type  a  few  com¬ 
mands  and  shut  down  the  enemy  system? 

Perhaps,  but  any  organization  that 
takes  the  law  in  its  own  hands  by  hacking 
back  has  far  more  to  lose  than  its 
attacker.  Hacking  is  illegal;  breaking  the 
law  opens  the  organization  up  to  legal 
liability  and  criminal  prosecution.  It’s 
safer  to  simply  add  a  few  rules  to  your 
firewall  and  hope  that  the  attacker  will  go 
elsewhere.  And  with  any  luck,  the  sky 
won’t  fall  after  all.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshop@cxo.com. 


to  treat  an  employee  who  falls  ill  at  work,  or  specified 
access  for  that  employee,  for  example,  allowing  only 
approved  personnel  into  R&D  labs.  (Proximity  sys¬ 
tems  can  store  this  kind  of  information  in  a  central¬ 
ized  database  but  not  in  the  card  itself.)  Contactless 
smart  cards  can  hold  as  much  as  16  kilobits  worth  of 
memory,  enough  to  house  cutting  edge  biometric 
technologies,  such  as  fingerprint  and  hand  geometry 
identification,  says  Spitler. 

At  Lenel  Systems  International  ( www.lenel.com ),  the 
emphasis  is  on  the  integration  of  security  manage¬ 
ment  solutions.  Through  its  OnGuard  ET  second  edi¬ 
tion  product,  Lenel  integrates  the  monitoring  and 
maintenance  of  varying  aspects  of  security,  including 
access  control,  video  monitoring  systems,  visitor 
management,  even  fire  alarm  systems.  Lenel  CEO 
Elena  Prokupets  says  this  system  allows  security 
executives  to  integrate  both  physical  and  logical  secu¬ 
rity  and  take  “total  control  of  people  walking  in  and 
out  of  your  building,  who  invited  them  and  what 
employees  are  responsible  for  these  visitors.” 

The  OnGuard  system  allows  supervisors  and  oth¬ 
ers  to  log  in  to  workstations  or  shut  off  access  in 
cases  when  an  employee  leaves  a  company.  In  addi¬ 
tion,  Prokupets  says  OnGuard  can  generate  numerous 
reports  from  its  various  security  systems,  making  it 
easy  to  keep  track  of  those  systems  and  ensuring  they 
are  online  and  doing  their  job. 

AMAG  Technology  ( www.amagaccess.com )  also 
focuses  on  integration,  linking  together  the  best  secu¬ 
rity  products  on  the  market.  A  CSO  with  video  moni¬ 
tors,  intercom  systems  and  smart  card  access  at 
doors  can  monitor  all  three  systems  from  a  central 
location.  One  of  AMAG’s  specialties  is  the  integration 
of  biometrics  technologies  into  security  systems. 

"Typical  off-the-shelf  biometrics  requires  a  lot  of 
installation.  Each  reader  has  to  be  connected  to  each 
other,  and  it’s  hard  to  enroll  people,"  says  AMAG 
Director  of  Sales  and  Technical  Support  John  Cassise. 
AMAG  has  developed  software  that  seamlessly  inte¬ 
grates  biometric  systems  into  more  standard  access- 
control  systems,  allowing  users  to  enroll,  manage  and 
monitor  biometric  readers  without  having  to  switch  to 
a  different  database,  partially  by  using  a  smart  card  to 
store  a  persons’  biometric  template.  With  AMAG’s 
technologies,  users  can  store  and  authenticate  more 
than  150,000  templates. 

-Julie  Hanson 


If  a  commander  in  the  field  wanted  to 
shut  down  an  enemy  e-mail  server,  it  would 
be  far  easier  to  simply  bomb  a  building  than 
go  through  channels  to  do  something  digital. 
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Broken  Windows 
in  the  Boardroom 

It’s  the  job  of  the  CSO  to  clearly  articulate  expectations 
about  corporate  behavior  and  establish  accountability 

By  Anonymous 


’VE  LONG  HEARD  IT  SAID  in  public-safety  circles  that  if  a  broken  win¬ 
dow  in  a  building  is  left  unrepaired,  the  rest  of  the  windows  will  soon  be  broken 
as  well.  In  other  words,  neglect  is  a  signal  that  no  one  cares  and  will  ultimately  only 
invite  more  disorder. 

Case  in  point:  Remember  during  the  early  ’90s  when  Rudy  Giuliani  was  able 
to  celebrate  a  significant  reduction  in  crime  in  New  York  City?  Putting  to  the  test 
a  theory  of  “order  maintenance”  that  had  driven  scores  of  smaller  community  polic¬ 
ing  efforts  for  nearly  two  decades,  Giuliani  sent  a  message  loud  and  clear  that  even 
seemingly  innocuous  misdeeds  would  not  go  unpunished.  He  showed  New  York 
that  its  police  force  was  never  too  busy  fighting  “real  crime” 
to  ignore  toll  jumpers,  pickpockets  or  graffiti  artists. 

I’m  sure  the  notion  of  order  maintenance  could  apply  to 
the  way  we  police  our  businesses.  But  instead  of  broken 
glass  or  graffiti,  our  private-sector  indicators  are  unclear 
expectations,  a  lack  of  accountability  and  a  willingness  to 
simply  look  the  other  way.  Yet  shareholder  and  employee 
“residents”  have  the  right  to  expect  a  safe,  predictable  envi¬ 
ronment  that  malfeasance  and  poor  ethical  hygiene  some¬ 
times  threaten. 

Imagine,  if  you  will,  a  particularly  talented  software  engi¬ 
neer  engaged  in  a  high-visibility  project  that  has  CEO  inter¬ 
est  and  strong  financial  support.  A  routine  audit  of  his  travel 
reveals  several  months  of  false  expense  claims  involving 
entertaining  fellow  employees  at  bars  and  adult  clubs.  For 
fear  of  derailing  the  project,  his  manager  tells  audit,  “it  has 
been  taken  care  of,”  and  merely  scolds  the  employee.  Or  what  if  an  investigation 
confirms  a  clear  case  of  embezzlement  by  a  high-level  finance  employee  who 
eventually  admits  to  years  of  theft  involving  a  half  million  dollars.  Management 
declines  to  prosecute  to  avoid  adverse  press  and  merely  fires  the  employee  after 
partial  restitution.  The  employee  is  hired  by  another  company  in  a  similar  posi¬ 
tion  shortly  thereafter. 

What’s  the  big  deal,  you  ask?  These  aren’t  instances  of  great  corporate  crime 
or  front-page  scandal.  Neither  the  shareholders  nor  the  company’s  standing  in  the 
market  has  been  damaged  much.  In  larger  companies  especially,  the  damage  is 
lost  in  the  rounding.  Has  anyone  really  been  hurt? 

How  many  names  do  you  wrant?  How  ’bout  we  start  with  the  savings-and- 


loan  fiasco?  I  could  get  specific  and  remind  you  about 
Adelphia,  Barings  Bank,  Drexel-Burnham  Lambert, 
Enron,  Global  Crossing,  Tyco  and  WorldCom.  In  the  past 
two  decades,  U.S.  businesses  have  been  involved  in 
numerous  scandals  and  high-level  wrongdoings.  And 
those  are  only  the  most  recent  examples.  At  first  glance, 
you  might  think  they  were  fat  cats  playing  it  fast  and 
furious  with  the  books— that  their  problems  weren’t 
caused  by  trivial  matters.  Kind  of  like  comparing  a  bank 
robbery  with  stealing  books  from  the  library,  right? 

Well,  don’t  kid  yourself.  These  stories  of  shame  started 
with  broken  windows,  and  that’s  why  these  big  companies 
are  in  trouble  today. 

Getting  Skin  in  the  Game 

Now,  I  believe  that  there’s  no  greater  risk  than  that  of  the 
knowledgeable,  empowered  insider.  Still  we  tolerate  our 
minimally  communicated  business  conduct  policies,  lit¬ 
tle  or  no  background  vetting,  a  standards-absent  virtual 
office,  and  a  passion  for  outsourcing  our  most  sensitive 
business  processes  to  companies  (in  countries)  we  know 
precious  little  about  and  that  have  no  clue  or  buy-in  to  our 
notion  of  corporate  integrity. 

Since  the  implications  of  shareholder  and  public  per¬ 
ception  of  corporate  ethical  lapses  are  increasingly  obvi¬ 
ous,  reputational  risk  is  front  and  center  on  the  minds  of 


many  directors  and  nervous  shareholders.  State  and  fed¬ 
eral  legislation  followed  up  by  criminal  and  regulatory 
sanctions  have  incrementally  raised  the  bar  on  conse¬ 
quences.  Capital  markets,  shareholders  and  the  public  are 
rightfully  demanding  accountability. 

Board  members,  directors  and  some  corporate  offi¬ 
cers  apparently  are  responding  to  the  increased  lime¬ 
light  and  potential  for  personal  liability  with  a  harder 
line  on  assurances  that  the  organizations  they  serve  have 
safeguards  and  controls  in  place  that  will  identify  prospec¬ 
tive  problems.  Previously  held  norms  of  corporate  gov- 
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ernance  are  being  tested  for  adequacy  to  their 
shareholders.  Corporate  ethics  and  a  culture 
of  doing  the  right  thing  are  very  much  “in” 
topics.  Investor  confidence,  already  ham¬ 
mered  by  a  significant  downturn  in  the  econ¬ 
omy,  now  wonders  aloud  how  to  vet  trust  in 
a  company’s  integrity  in  addition  to  its  finan¬ 
cial  opportunity. 


One  way  to  do  that  is  to  have  a  compre¬ 
hensive  security  program,  grounded  in 
accepted  policy,  visibly  supported  by  senior 
management  and  led  by  a  highly  competent 
CSO  who  is  connected  to  the  business  by 
effective  relationship  management.  Within 
that  charter  is  a  clear  mandate  to  manage  a 
system  of  controls  and  safeguards  that  meas¬ 
urably  contribute  to  the  ethical  hygiene  of 
the  organization. 

The  chief  security  officer  can  be  a  key 
player  in  the  corporate  governance  team  and 
in  the  reputational  risk  management  of  the 
organization.  But  how  do  we  build  the  pro¬ 
gram  to  make  that  connection?  The  devil  is 
in  the  details. 

Let’s  assume  you  and  I  are  on  a  team  to 
review  and  recommend  a  business  conduct 
policy  framework  for  our  organization.  We’ve 
been  asked  to  build  the  framework  within 
an  established  set  of  corporate  values  that 
has  integrity  as  its  centerpiece.  The  chair¬ 
man  and  the  board  have  made  it  clear  that  we 
are  an  ethical  company  where  our  share¬ 
holders  and  employees  can  be  assured  that 
we  will  do  “the  right  thing.” 

Having  been  on  that  team,  I’ll  tell  you  that 
you  don’t  start  by  thinking  about  felonies 
and  misdemeanors.  You  don’t  ask  the  differ¬ 
ence  between  naughty  misconduct  and  out¬ 
right  bad  behavior.  At  its  core,  it’s  about  good 
hygiene  and  individual  accountability.  Com¬ 
panies  are  selective  in  deciding  what  is  right 
or  wrong.  If  a  top  executive  pads  his  expenses 
once  in  a  while,  it  might  be  overlooked,  but 
if  a  temporary  employee  or  some  hourly 


worker  did  it,  I  bet  she’d  be  gonzo  in  a  heart¬ 
beat. 

Yet  it  shouldn’t  be  about  big  shots  and 
blue  collars,  plaques  on  the  wall  and  speeches 
about  values.  It’s  about  a  culture  where 
accountability  for  doing  the  right  thing  is  the 
way  things  are  done.  Period. 

Of  course,  it  makes  a  great  sound  bite,  and 


it’s  easy  to  say.  But  it’s  very,  very  difficult  to 
implement. 

To  make  integrity  a  cornerstone  of  a  com¬ 
pany’s  culture,  you  need  to  make  a  clear  busi¬ 
ness  case.  That  starts  with  a  commonsense 
acceptance  that,  without  the  trust  of  the 
shareholder,  the  customer  and  the  employee, 
there  is  no  business.  In  other  words,  trust 
has  an  economic— as  well  as  an  altruistic- 
value. 

Who  Ya  Gonna  Call? 

Ultimately,  who  is  responsible  for  setting  the 
standard  of  ethical  behavior?  For  looking  for 
the  broken  panes  in  the  various  corporate 
windows? 

First  and  foremost,  of  course,  are  the 
board  and  CEO,  who  together  set  the  tone 
and  reinforce  the  values  at  every  opportu¬ 
nity.  They  demonstrate  the  commitment  to 
integrity  in  daily  business  conduct.  The  pol¬ 
icy  infrastructure  becomes  a  constant  refer¬ 
ence  point  for  business  conduct. 

My  company  has  more  than  30  core  busi¬ 
ness  conduct  policies  published  on  its 
intranet  and  scores  of  related,  more  techni¬ 
cal  policies  within  various  elements  of  the 
company.  A  critical  element  in  the  program 
is  a  module  in  the  various  manager  training 
and  development  programs. 

The  local  business  executive,  preferably 
the  first-line  manager,  is  also  paid  to  know  the 
neighborhood  and  work  the  streets.  He 
becomes  the  agent  of  the  culture  and  the 
behavior  model.  Show  me  a  manager  who 
demonstrates  the  wrong  values  and  I  will 


guarantee  his  work  group  has  other  problems 
that  would  interest  security  and  others. 

After  the  first-line  manager  comes  a  team 
of  governance,  oversight  and  administrative 
resources— security,  audit,  ethics,  compli¬ 
ance,  legal,  human  resources,  finance  and 
others  who  are  in  unique  positions  to  see 
anomalies,  failures  or  flaws  in  controls,  les¬ 
sons  from  various  incidents,  opportunities 
for  improvement  and  feedback  to  manage¬ 
ment. 

Once  employees  see  management’s  com¬ 
mitment  to  a  system  of  processes,  procedures 
and  safeguards  that  assure  their  concerns 
will  be  protected,  you’ll  start  to  see  order 
restored.  Security,  legal  and  HR  departments 
are  keys  to  that  element  of  the  integrity  infra¬ 
structure. 

Once  you  connect  the  dots,  you  start  to 
realize  that  it  isn’t  that  you  have  a  bad  guy  in 
production,  it’s  that  he  has  a  bad  manager 
who  set  a  bad  behavior  standard  that  cre¬ 
ated  a  problem  in  the  first  place. 

And  it  doesn’t  stop  there.  Why  didn’t  that 
manager’s  manager  realize  the  emerging 
issue?  Where  was  human  resources  in  the 
exit  interviews,  in  the  daily  interactions? 
What  about  the  internal  audits?  After  a  sig¬ 
nificant  internal  incident,  when  you  peel  the 
layers  back,  you  find  evidence  everywhere. 
The  postmortem  has  to  find  the  root  causes 
so  that  you’re  not  destined  to  repeat  those 
mistakes. 

If  the  CSO  has  unique  linkages  to  his  gov¬ 
ernance  peers  and  proper  access  to  the  top, 
he  can  put  the  disparate  pieces  from  the 
multidepartmental  findings  together  and  end 
up  with  a  picture  of  internal  risk  dynamics 
that’s  not  available  elsewhere.  You  might  say 
that  CSOs  have  the  means  to  eliminate  plau¬ 
sible  denial. 

Effectively  connected  CSOs  have  a  bird’s- 
eye  view  of  those  and  other  disparate  pieces 
of  data  on  corporate  hygiene.  They  connect 
the  dots  that  others  don’t  even  see.  As  such, 
they  are  critical  to  corporate  integrity.  CEOs 
and  other  senior  executives  need  to  make 
room  for  this  perspective  if  they  hope  to  pos¬ 
itively  affect  corporate  strategy.  ■ 

This  column  is  written  anonymously  by  a  real  CSO. 
For  reader  feedback,  send  us  an  e-mail  message  at 
csounderco  verWcxo.  com. 


Enron,  Tyco,  Global  Crossing,  WorldCom. 
The  scandals  and  high-level  wrongdoings  at 
such  companies  started  with  broken  windows. 
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Companies  everywhere  are  facing  a  new  kind  of  threat. 
Fortunately,  there’s  a  new  level  of  protection. 

Introducing  Application  Intelligence  only  from  Check  Point. 


The  Internet  is  evolving.  So  is  the  technology  that  keeps  it  secure.  Now  Check  Point  introduces 
Application  Intelligence— a  major  breakthrough  in  the  evolution  of  Internet  security  and  a  definitive 
response  to  the  growing  problem  of  application  level  attacks.  With  Application  Intelligence  integrated 
into  Check  Point  FireWall-1  and  Smart  Defense,  your  business-critical  systems  are  safe  from  both 
network  and  application  level  attacks.  By  providing  the  world’s  only  truly  integrated  security  infrastructure, 

Check  Point  centralizes  and  strengthens  your  defense  against  attack  at  every  level,  every  location.  Want 
to  take  Internet  security  to  the  next  level?  Get  the  revealing  new  white  paper  that  tells  you  everything 
you  need  to  know  about  the  latest  cyber  threats,  “Internet  Security  Redefined:  A  new  level  of  integration, 
a  new  level  of  protection.”  at  www.checkpoint.com/appint/cso 
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SOFTWARE  TECHNOLOGIES  LTD. 


We  Secure  the  Internet 


©2003  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


Speaking  in  Tongues 


Translation  Table 


What  the  CSO  Says 

what  the  ceo  Hears 

what  the  cfo  Thinks 

what  the  cio  Mutters 

We  should  run  an  independent 
audit  to  create  a  baseline  profile 
of  our  company’s  security  prac¬ 
tices  and  needs. 


Corporate  espionage  is  a  risk  we 
can’t  ignore.  We  should  start  an 
internal  awareness  campaign. 


The  company  should  think 
strategically  about  risk.  Security 
can  contribute  to  the  bottom 
line. 

An  adequately  trained  and  moti¬ 
vated  security  staff  is  essential 
for  a  secure  work  environment. 


Risk  is  risk,  whether  you’re 
talking  about  IT  or  physical 
infrastructure.  I’ll  lead  our  effort 
to  mitigate  all  risk. 


We  should  pay  some  consultant 
to  come  in  here  and  figure  out 
that  you’ve  been  using  the  cor¬ 
porate  jet  to  weekend  in  Cabo. 


Corporate  espionage  is  an 
opportunity  we  can’t  ignore. 
We  should  start  a  campaign. 


I  want  a  key  to  the  executive 
washroom,  stock  options  and  a 
raise. 


A  motivated  security  staff  could 
essentially  do  anything  it  wants 
to  the  company. 


I  will  gladly  be  your  fall  guy. 


Of  course,  we  have  our  own 
audit  group,  but  that  apparently 
doesn’t  drain  enough  resources 
for  Captain  Cost  Center. 


Awareness  campaign?  Tell  you 
what,  Senor  Spendthrift,  why 
don't  we  just  start  a  bonfire  and 
use  revenues  as  kindling. 

Eliminating  Joe  Millionaire  over 
here  would  contribute  signifi¬ 
cantly  to  the  bottom  line. 


Hold  on,  Richie  Rich.  A  CPP 
training  class  is  gonna  cost 
what??? 


Great.  Now  Spendy  the  Clown 
can  be  the  fall  guy. 


You  couldn’t  possibly  under¬ 
stand  my  complex  systems 
well  enough  to  audit  them. 


Awareness?  Are  you  aware  that 
you  couldn't  possibly  under¬ 
stand  my  complex  systems? 


Our  biggest  strategic  risk  is  if 
you  think  you  could  possibly 
understand  my  complex 
systems. 

No  amount  of  training  could 
possibly  help  your  staff  under¬ 
stand  my  complex  systems. 


You  can  be  the  fall  guy  when  my 
complex  systems  are  hacked, 
even  though  you  couldn’t 
possibly  understand  them. 
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Manage  Security 
Pol  ici6S  instead  of 

Security  Products 


StoneGate™  firewall  and  VPN  reduces  complexity  and  lowers 
your  structured  cost.  Manage  security,  not  technology. 


Security 


Enables  unified  firewall  and  VPN  security  from  laptops,  to  data  centers  and  mainframes. 


Manageability 


Centrally  manages  and  upgrades  local  and  remote  sites. 


Reliably  connects  fault-tolerant  VPNs  and  firewalls  with  multiple  ISPs. 


Grows  without  the  need  for  over  investing  or  fork-lift  upgrades. 


The  cost  of  your  security  complexity  is  higher  than  you  think 


Contact  us  today  to  learn  how  to  remove  complexity  from  your  security. 
Visit  www.stonesoft.com  or  e-mail  at  info@stonesoft.com 
Attend  or  view  our  webinars  at  www.stonesoft.com/seminars 


STONESOFT 


Can  your  antivirus  software  provide  double  the  scanning  power?  Ours  can. 

Making  sure  your  company  is  secure  gets  more  and  more  difficult  every  day.  That's  why  eTrust™  Antivirus  v7 
from  Computer  Associates  uses  dual  scanning  engines  to  ensure  comprehensive  virus  protection.  It  processes 
data  in  real  time  to  search  out  and  eliminate  viruses,  and  it  also  scans  files  during  prescheduled  and 
off-peak  hours.  All  at  the  cost  of  most  single-engine  AV  products.  It's  more  than  just  twice  the  protection. 
It's  twice  the  peace  of  mind.  ca.com/etrust/antivirus 


eTrust™  Antivirus 


Computer  Associates® 
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